How to completely remove user details from UNAB

Document ID : KB000018779
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

User details are still visible in uxconsole -manage -show -user <user_id> even after <user_id> after being removed from both Active Directory and the Local Enterprise database.

Solution:

When deleting a user from UNAB, even though the user may have been deleted from both Active Directory User store, as well as the UNIX local database (LDAP and/or /etc/passwd); the user will still be cached for UNAB until the next time the user attempts to log in or until the UNAB cache is cleared.

This means that, even if the user is deleted, and even though it will not be possible to log in to the endpoint as that user, any call to uxconsole -show -detail -user <user_id> will return the cached information, which includes a wealth of user details.

For instance:

/opt/CA/uxauth/bin/uxconsole -manage -show -detail -user myuser

CA ControlMinder UNAB uxconsole v12.62.0.632 - console utility

Copyright (c) 2010 CA. All rights reserved.


USER 'myuser' information
----------------------------------------------------
Type               : Local User
Local Account      : Enabled
Uid                : 666407
Gid                : 50023(basis)
Shell              : /usr/bin/ksh
Home Directory     : /home/myuser
Gecos              : Test user
Unix Groups        : 50023(basis)
All Groups         : myuser@ca.com

The situation will last for as long as nobody tries to log in as that user. However, if we want to clear that information from the cache, due to the potential risk of compromising information that the above result might represent, it is possible to do so by following this procedure:

  • Verify that the user is present in the cache: /opt/CA/uxauth/bin/uxconsole dbdump pw | grep myuser
  • Stop UNAB at the endpoint: /opt/CA/uxauth/bin/uxauthd -stop
  • Rename or delete the nss.db and wgrp.db files under /opt/CA/uxauth/etc. These are the cache files
  • Restart UNAB: /opt/CA/uxauth/bin/uxauthd -start. Initialization will take some time as it will again pull users from the user store
  • Verify that the user which was deleted is no longer in the cache and it is not returning with uxconsole -manage -show myuser