Remove ITIM Service And Profile with a script

The following code does direct LDAP manipulations for TIM 4.6. It is here for reference on how mess with the LDAP. I have better jython based code that does the same through the TIM APIs.



@echo off
rem
rem ITIM Service Remover v1.8 (c) Alex Ivkin
rem Removes all entries for a service as well as the service profile and schema entries. Use with caution.
rem service name must be unique even as a substring of any name - search is made for substrings not whole words. 
rem ie running this script with "e" as the name of the service will screw half of your ldap
rem Generic enough to remove any service, not just the ones created with the service modeler.
rem TIM might have to be restarted after the service removal is complete
rem Tested with IBM's ldapsearch (included in IBM Directory Server)
rem Removes groups associated with a service
rem
rem Does not remove the provisioning policy for a service based on the service profile (but removes the service and account types) WHICH IS IN ou=policies,erglobalid=00000000000000000000,ou=itim,dc=com, erEntitlements. 
rem Recognizable via a service matchning the optional attribute erPolicyTarget (sample contents - 1;erglobalid=2839627009543180964,ou=services,erglobalid=00000000000000000000,ou=itim,dc=com)
rem 
if [%1]==[] goto :usage
if [%2]==[] goto :usage
if [%3]==[] goto :usage
if [%4]==[] goto :usage
set x_host=%1
set x_root=%2
set x_pwd=%3
set x_service=%4
set x_opt=%5
rem -----------------------------------
<nul (set/p z=Listing direct entries...)
call ldapsearch -h %x_host% -D %x_root% -w %x_pwd% -b "" -s sub "(objectclass=*%x_service%*)" > search_entries.ldap
<nul (set/p z=Filtering...)
if exist temp_entries.ldif echo.>temp_entries.ldif
rem use an invalid LDAP character as a delimiter to avoid the default "space" delimiter as object names may contain a space
for /F "delims=&" %%A in ('findstr /R "^%x_service%groupcn=.*,erglobalid=.*,.*" search_entries.ldap') do (call :ldap_delete_string "%%A")
for /F "delims=&" %%A in ('findstr /R "^erglobalid=.*,.*" search_entries.ldap') do (call :ldap_delete_string "%%A")
rem for /F "delims=&" %%A in (search_entries.ldap) do (call :subentry_string "%%A" %x_service%)
rem for /F "delims=&" %%A in (search_entries.ldap) do (call :entry_string "%%A")
if exist temp_entries.ldif (
  if NOT [%x_opt%]==[-n] echo Deleting entries...
  call ldapmodify -h %x_host% -D %x_root% -w %x_pwd% %x_opt% -c -e errors_entries.ldap -i temp_entries.ldif > nul
  echo Errorlevel - %ERRORLEVEL%
  rem check the errorcode before deleting. if everything is ok delete the errors.ldap file and search_entries.ldap as well
  rem does not work as the error level seems to be always -1
  rem if %ERRORLEVEL% EQU 0 (
    if NOT [%x_opt%]==[-n] (
      del errors_entries.ldap
      del search_entries.ldap
      del temp_entries.ldif
    )
  rem )
) else (
  if NOT [%x_opt%]==[-n] (del search_entries.ldap)
  echo Nothing to delete.
)
rem -----------------------------------
<nul (set/p z=Listing ITIM linked entries...)
call ldapsearch -h %x_host% -D %x_root% -w %x_pwd% -b "" -s sub "(erObjectProfileName=%x_service%*)" > search_itimentries.ldap
if exist temp_itimentries.ldif echo.>temp_itimentries.ldif
rem use an invalid LDAP character as a delimiter to avoid the default "space" delimiter as object names may contain a space
for /F "delims=&" %%A in ('findstr /R "^erobjectprofilename=%x_service%.*,ou=itim,.*" search_itimentries.ldap') do (call :ldap_delete_string "%%A" itim)
for /F "delims=&" %%A in ('findstr /R "^erglobalid=.*,.*" search_itimentries.ldap') do (call :ldap_delete_string "%%A" itim)
if exist temp_itimentries.ldif (
  if NOT [%x_opt%]==[-n] echo Deleting entries...
  call ldapmodify -h %x_host% -D %x_root% -w %x_pwd% %x_opt% -c -e errors_itimentries.ldap -i temp_itimentries.ldif > nul
  echo Errorlevel - %ERRORLEVEL%
  rem check the errorcode before deleting. if everything is ok delete the errors.ldap file and search_entries.ldap as well
  rem does not work as the error level seems to be always -1
  rem if %ERRORLEVEL% EQU 0 (
    if NOT [%x_opt%]==[-n] (
      del errors_itimentries.ldap
      del search_itimentries.ldap
      del temp_itimentries.ldif
    )
  rem )
) else (
  if NOT [%x_opt%]==[-n] (del search_itimentries.ldap)
  echo Nothing to delete.
)
rem -----------------------------------
<nul (set/p z=Listing classes...)
call ldapsearch -h %x_host% -D %x_root% -w %x_pwd% -b "cn=schema" -s base "(objectclass=*)" objectclasses > search_classes.ldap
<nul (set/p z=Filtering...)
if exist temp_classes.ldif echo.>temp_classes.ldif
for /F "tokens=2" %%G in ('findstr /I "%x_service%" search_classes.ldap') do (call :class_string %%G )
if exist temp_classes.ldif (
  if NOT [%x_opt%]==[-n] echo Deleting classes...
  call ldapmodify -h %x_host% -D %x_root% -w %x_pwd%  %x_opt% -c -e errors_classes.ldap -i temp_classes.ldif > nul
  echo Errorlevel - %ERRORLEVEL%
  rem if %ERRORLEVEL% EQU 0 (
    if NOT [%x_opt%]==[-n] (
      del errors_classes.ldap
      del search_classes.ldap
      del temp_classes.ldif
    )
  rem )
) else (
  if NOT [%x_opt%]==[-n] (del search_classes.ldap)
  echo Nothing to delete.
)
rem -----------------------------------
<nul (set/p z=Listing attributes...)
call ldapsearch -h %x_host% -D %x_root% -w %x_pwd% -b "cn=schema" -s base "(objectclass=*)" attributetypes  > search_attributes.ldap
<nul (set/p z=Filtering...)
if exist temp_attributes.ldif echo.>temp_attributes.ldif
for /F "tokens=2,3,4" %%G in ('findstr /I "%x_service%" search_attributes.ldap') do (call :attribute_string "%%G %%H %%I")
if exist temp_attributes.ldif (
  if NOT [%x_opt%]==[-n] echo Deleting attributes...
  call ldapmodify -h %x_host% -D %x_root% -w %x_pwd% %x_opt% -c -e errors_attributes.ldap -i temp_attributes.ldif > nul
  echo Errorlevel - %ERRORLEVEL%
  rem if %ERRORLEVEL% EQU 0 (
    if NOT [%x_opt%]==[-n] (
      del errors_attributes.ldap
      del search_attributes.ldap
      del temp_attributes.ldif
    )
  rem )
) else (
  if NOT [%x_opt%]==[-n] (del search_attributes.ldap)
  echo Nothing to delete.
)
rem -----------------------------------not needed anymore-leave here for future reference--
rem <nul (set/p z=Listing ibmattributes...)
rem call ldapsearch -h %x_host% -D %x_root% -w %x_pwd% %x_opt% -b "cn=schema" -s base "(objectclass=*)" ibmattributetypes > search_ibmattributetypes.ldap
rem <nul (set/p z=Filtering...)
rem for /F "tokens=2" %%G in ('findstr /I "%x_service%" search_ibmattributetypes.ldap') do (call :attribute_string %%G ibm )
rem if exist temp_ibmattributes.ldif (
rem   echo Deleting ibmattributes...
rem   call ldapmodify -h %x_host% -D %x_root% -w %x_pwd% %x_opt% -c -e errors_ibmattributes.ldap -i temp_ibmattributes.ldif > nul
rem   if %ERRORLEVEL% EQU 0 (
rem     if NOT [%x_opt%]==[-n] (
rem       del errors_ibmattributes.ldap
rem       del search_ibmattributes.ldap
rem       del temp_ibmattributes.ldif
rem     )
rem   )
rem ) else (
rem   if NOT [%x_opt%]==[-n] (del search_ibmattributes.ldap)
rem   echo.
rem )
rem ------------------------------------
echo Done.
goto :eof
:ldap_delete_string
  rem strip quotes then check if the line contains a full DN
  set commastr=%1
  set str=%commastr:~1,-1%
  echo dn: %str% >> temp_%2entries.ldif
  echo changetype: delete >> temp_%2entries.ldif
  echo.>>temp_%2entries.ldif
goto :eof
:subentry_string
  rem strip quotes then check if the line contains a full DN
  set commastr=%1
  set str=%commastr:~1,-1%
  echo %str% | findstr /R "%2.*,erglobalid=.*,.*"  > nul
  If %ERRORLEVEL% EQU 0 (
  <nul (set/p z=.)
  echo dn: %str% >> temp_entries.ldif
  echo changetype: delete >> temp_entries.ldif
  echo.>>temp_entries.ldif
 )
goto :eof
:entry_string
  rem strip quotes then check if the line contains a full DN
  set commastr=%1
  set str=%commastr:~1,-1%
  echo %str% | findstr /R "^erglobalid=.*,.*"  > nul
  If %ERRORLEVEL% EQU 0 (
  <nul (set/p z=.)
  echo dn: %str% >> temp_entries.ldif
  echo changetype: delete >> temp_entries.ldif
  echo.>>temp_entries.ldif
 )
goto :eof
:class_string
  rem strip quotes and the heading
  set param=%1
  rem set str=%param:~15,-1%
  <nul (set/p z=.)
  echo dn: cn=schema >> temp_classes.ldif
  echo changetype: modify >> temp_classes.ldif
  echo delete: objectclasses >> temp_classes.ldif
  echo objectclasses: ^( %param% ^) >> temp_classes.ldif
  echo.>>temp_classes.ldif
goto :eof
:attribute_string
  rem strip quotes and the heading
  set param=%1
  <nul (set/p z=.)
  if NOT "%2"=="ibm" (set str=%param:~1,-1% ) else ( set str=%param% )
  rem if "%2" == "ibm" (set str=%param:~14,-1%) else (set str=%param:~17,-1%)
  echo dn: cn=schema >> temp_%2attributes.ldif
  echo changetype: modify >> temp_%2attributes.ldif
  echo delete: %2attributetypes >> temp_%2attributes.ldif
  echo %2attributetypes: ^( %str% ^) >> temp_%2attributes.ldif
  echo.>>temp_%2attributes.ldif
goto :eof
:usage
echo Run as: 
echo %0 ldaphost ldaprootuser ldaprootpassword servicename [-n]
echo Example:
echo %0 iam-pids-aud "cn=root" rootpass IDISvc -n
echo Use quotes for strange usernames and passwords.
echo use [-n] to try out the removal and not actually perform it. 
echo temporary files are not going to be deleted as well.
echo actually whatever you put as the fourth option will be used in the ldapmodify commands as an argument
echo do not prepend "er" to the serivce name as it is added automatically
goto :eof

@Tools @ITIM