Product: TIBCO Spotfire®
Is it possible to remove from Spotfire user directory a group of users that was created using LDAP group synchronization configuration that does not use "filter users by groups" option?
When LDAP group synchronization is used with "filter users by groups" option enabled, one only needs to remove a group with these users from the list of synchronized LDAP groups (in Spotfire Server Config Tool). This action will disable all members of that group in Spotfire during next LDAP synchronization. Once users are disabled, running command delete-disabled-users will remove them from Spotfire user directory.
When LDAP group synchronization is used without "filter users by groups" option enabled, it's still possible to remove a large group of users, but the process is different:
1. Query Spotfire Server database to retrieve all users in a specific LDAP domain:
select USER_NAME from [spotfire-schema].USERS where DOMAIN_NAME = [ldap-domain]
Extract this list of users into a text file.
2. Insert a list of users that need to be deleted into a new batch file, replacing [db_username] with each user's user_name:
config enable-user -t [spotfire-config-tool-password] --user-name=[db_username] --enable=false
This will create a batch command file with enable-user command for each user on a single line. Here is a short example:
@echo off echo Running script... call config enable-user -t spotfire123 --username=user1 --enabled=false call config enable-user -t spotfire123 --username=user2 --enabled=false echo end of script
3. Open command prompt on Spotfire Server machine, switch to [Spotfire-Server-Home]\tomcat\spotfire-bin\ directory and execute the script above. The output should look something like this:
Running script... Successfully update the status of user 'SPOTFIRE\user1' to enabled: false Successfully update the status of user 'SPOTFIRE\user2' to enabled: false end of script
The result is all user accounts in the batch file are now "disabled".
4. Run the following command to remove all disabled users:
config delete-disabled-users -a false -m false -p false -l false
Further information on delete-disabled-users command can be found here:
Additional information on LDAP Group Synchronization: