Pivotal Knowledge Base

Follow

CF Operator is Unable to Remove a User from UAA when the Origin is LDAP

Environment

Pivotal Cloud Foundry® (PCF) 1.10, 1.11, 1.12

Symptom

After a user of ldap origin is removed from UAA it came back again with a successful login against this user via CF CLI.

Steps to reproduce the issue:

1. User of LDAP origin could be retrieved with UAAC

ubuntu@pivotal-ops-manager:~$ uaac user get 'exampleuser'
id: 3d5e8ca2-eeaf-45a3-9b2e-5f477a6c01f3
meta
version: 0
created: 2017-11-21T02:11:14.000Z
lastmodified: 2017-11-21T02:11:14.000Z
name
familyname: example
emails:
-
value: exampleuser@user.from.ldap.cf
primary: false
groups:
-
value: c671a376-4427-41df-b806-ce519cc49006
display: approvals.me
type: DIRECT
......
-
value: ad068b47-5a62-4957-a637-552c74ed1b36
display: cloud_controller_service_permissions.read
type: DIRECT
-
value: 336f402f-c11e-4090-ae9e-c084b3816980
display: oauth.approvals
type: DIRECT
approvals:
active: true
verified: true
origin: ldap
schemas: urn:scim:schemas:core:1.0
externalid: cn=example user,dc=aliceldap,dc=com
username: exampleuser
zoneid: uaa
passwordlastmodified: 2017-11-21T02:11:14.000Z
lastlogontime: 1511230274378

2. Login with this user on CF CLI is successful

[root@dev2 ~]# cf login
API endpoint: https://api.example.com Email> exampleuser Password>
Authenticating...
OK

3. Delete the user with UAAC

ubuntu@pivotal-ops-manager:~$ uaac user delete 'exampleuser'
user account successfully deleted

4. User not able to be retrieved via UAAC

ubuntu@pivotal-ops-manager:~$ uaac user get 'exampleuser'
CF::UAA::NotFound: CF::UAA::NotFound

5. Login with this user on CF CLI is still successful

[root@dev2 ~]# cf login
API endpoint: https://api.example.com
Email> exampleuser
Password>
Authenticating...
OK

6. Then the user could be shown with UAAC again

ubuntu@pivotal-ops-manager:~$ uaac user get 'exampleuser'
id: 3d5e8ca2-eeaf-45a3-9b2e-5f477a6c01f3
meta
version: 0
created: 2017-11-21T02:11:14.000Z
lastmodified: 2017-11-21T02:11:14.000Z
name
familyname: example
emails:
......
approvals:
active: true
verified: true
origin: ldap
schemas: urn:scim:schemas:core:1.0
externalid: cn=example user,dc=aliceldap,dc=com
username: exampleuser
zoneid: uaa

Cause 

If removal is required for user of ldap origin, the user has to be deleted from LDAP server side first then deleted from UAA. Otherwise the user meta data in UAA will be synchronized from LDAP server automatically with next successful logon via CF CLI.

Resolution

Remove the user of ldap origin from LDAP server first, then delete it from UAA. 

 

Comments

Powered by Zendesk