User is still appearing after it has been deleted from Active Directory.
What does the deleted_check.sh script do? This script can be found here: /opt/quest/libexec/vas/scripts
RESOLUTION 1:
1 - Run the /opt/quest/libexec/vas/scripts/deleted_check.sh script
This covers deleting stale users, groups, netgroups, and nis maps from the cache. By stale we mean objects that have been removed from AD but are still in the cache locally.
RESOLUTION 2:
1 - Run the following command and replace the information USERNAME with an account name in your environment:
/opt/quest/bin/vastool list -f user USERNAME
This will force a request to AD for the user object and then remove them from the cache if not found.
Vas.conf Configurations:
Options can also be configured in vas.conf: /etc/opt/quest/vas/vas.conf
# Deleted-user check options
delusercheck-interval = <integer (minutes)>
Default 0
If you set delusercheck-interval on its own it uses the binary, /opt/quest/libexec/vas/vasd/delusercheck. Set like this it runs the binary at the configured interval in minutes however the binary only removes stale users from the cache.
You can however use the delusercheck-interval in conjunction with delusercheck-script. When delusercheck-script is also set it uses whichever script is listed in the setting and runs it at the set interval. For example the deleted_check.sh script noted above can be used or a custom script.
delusercheck-script = /opt/quest/libexec/vas/scripts/deleted_check.sh
A common configuration is to use the two settings together, for example:
delusercheck-interval = 360
delusercheck-script = /opt/quest/libexec/vas/scripts/deleted_check.sh
For more information on these configuration settings see the vas.conf man page by running the following on any Unix or Linux system where you have Authentication Services installed.
man vas.conf
--------------------------------------------------------------------------------------------------------------------------------------------------------
delusercheck-interval =
Default value: 0
By default, vasd only detects that user objects have been deleted when explicit requests for the deleted users are made by the QAS authentication modules or by calls to getpwnam(). This is due to the difficulties inherent in detecting when objects in a directory are deleted when using an incremental update algorithm. While deleted users cannot get access to Unix machines through QAS, this may not satisfy some auditing requirements. If a Unix environment requires that the cache of user and group information is completely up to date (including removal of deleted objects), you can configure vasd to check periodically for deleted objects. By default this check is turned off to limit the amount of LDAP traffic each QAS client generates. The value of this option should be set to an interval in minutes where vasd should perform the deleted user check. You should carefully evaluate the impact of enabling this search on your Unix clients before enabling this option across your deployment. The following example shows how to configure vasd to run the deleted user check every 24 hours.
[vasd]
delusercheck-interval = 1440
-----------------------------------------------------------------------------------------------------------------------------------
delusercheck-script =
Default value: /opt/quest/libexec/vas/vasd/delusercheck
This option allows you to specify a custom user deletion check program. The default program supplied with QAS is /opt/quest/libexec/vas/vasd/delusercheck. This program will build a table of current Active Directory users to compare with the users that are cached, and remove any cached users that do not appear in the known user table. The value of this option must be an absolute path to a program that vasd can execute. The following example shows how to use a custom user deletion check script.
[vasd]
delusercheck-script = /usr/local/libexec/vas-delusercheck.sh
-------------------------------------------------------------------------------------------------------------------------------------------
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center