User details are still visible in uxconsole -manage -show -user <user_id> even after <user_id> after being removed from both Active Directory
and the Local Enterprise database.
When deleting a user from UNAB, even though the user may have been deleted from both Active Directory User store, as well as the UNIX local database (LDAP
and/or /etc/passwd); the user will still be cached for UNAB until the next time the user attempts to log in or until the UNAB cache is cleared.
This means that, even if the user is deleted, and even though it will not be possible to log in to the endpoint as that user, any call to uxconsole -show
-detail -user <user_id> will return the cached information, which includes a wealth of user details.
/opt/CA/uxauth/bin/uxconsole -manage -show -detail -user myuser
CA ControlMinder UNAB uxconsole v220.127.116.112 - console utility
Copyright (c) 2010 CA. All rights reserved.
USER 'myuser' information
Type : Local User
Local Account : Enabled
Uid : 666407
Gid : 50023(basis)
Shell : /usr/bin/ksh
Home Directory : /home/myuser
Gecos : Test user
Unix Groups : 50023(basis)
All Groups : email@example.com
The situation will last for as long as nobody tries to log in as that user. However, if we want to clear that information from the cache, due to the
potential risk of compromising information that the above result might represent, it is possible to do so by following this procedure:
Verify that the user is present in the cache: /opt/CA/uxauth/bin/uxconsole dbdump pw | grep myuser
Stop UNAB at the endpoint: /opt/CA/uxauth/bin/uxauthd -stop
Rename or delete the nss.db and wgrp.db files under /opt/CA/uxauth/etc. These are the cache files
Restart UNAB: /opt/CA/uxauth/bin/uxauthd -start. Initialization will take some time as it will again pull users from the user store
Verify that the user which was deleted is no longer in the cache and it is not returning with uxconsole -manage -show myuser