CA SSO dormant account list

Document created by rhibo02 Employee on Apr 25, 2017Last modified by rhibo02 Employee on May 5, 2017
Version 2Show Document
  • View in full screen mode

Hi all


I got a request to extract dormant account list from CA SSO User DB and upload cvs fille into CA Identity manager to delete it. Due to limited program skill and time, I have used existing command and perl script. 


It has 3 parts. 


Step 1. Extract User id from LDAP server (must be executed where dxsearch command is available.)
Step 2. Get last login from CA SSO server (Must be executed in CA SSO Server)
Step 3. Extract user list that did not login xx days (default 356 days)


To test it your environment, download file and extract file.


Open "DormantAccount_generation.bat" and change it accordingly.  

  • LDAP connection information (It can be executed where CA LDAP is installed because it uses dxsearch command.)
    • dxsearch -L -h -b "ou=Customers,dc=ForwardIncExternal,dc=ca" -D <bind_dn> -w <password> "(objectclass=person)" uid | findstr "uid: " > .\work\temp.txt
  • Change Perl paramater (It uses CA SSO Perl SDK. So, it should be executed in CA SSO server itself.)
    • perl <sso admin ID> <sso_admin_password> "Client LDAP User Store" .\work\userlist.txt>.\work\lastlogininfo.txt
  • Change time period (User list did not login last <days>
    • call run.bat ..\work\lastlogininfo.txt ..\DormantUserlist.csv <days>




Step1 should be executed where desearch (CA LDAP) command is available.

Step2 should be executed where CA SSO server is installed server.


It is just developed for POC purpose. When it is converted into Java, it can be executed from any location. I hope that someone who is familiar with java program can migration this one into java based code.


Batch Job execution result



Last login record



Sample dormant account list, which can be used for IDM bulk task for user deletion. 




Kind regards




This document was generated from the following discussion: CA SSO dormant account list