Hi board.

I am working on an AD driver in IDM 4.0.1.
We have account tracking enabled.

Because we are using multi affiliation accounts in eDirectory we have
some complexity of why and how we have designed this solution.
What is a side effect though is that when we needs to administrate to
core information or lifecycle management, we are executing the
modifications on the main User object, and then letting a lopbackdriver
do the synchronisation to the other attached user objects.

Because of the multi affiliation design we are building workflows for
administration the objects, including actions like: Enabling, disabling,
password change and locked out/intrution detection.

So we needs to be able to reset lockoutTime in AD to 0 - without being
hit by the account tracking and re-writing of values based on the later

*What we want to acheive:*
When a user is locked out in AD we will set the *Locked By Intruder*
attr. to TRUE, *Login Intruder Attempts* equal the number of allowed
login attempts due to directory policies, *Login Intruder Address* equal
{netAddrType="0", netAddr=""} and delete/clear *Login Intruder Reset
This part we have tested and verified successfully to be possible.

We have developed a WF that deletes/clears those attributes again, and
when *Locked By Intruder* is cleared or changing from TRUE, set
lockoutTime in AD to zero.

*Our issue*
When we are doing this (setting the lockoutTime to zero) we are hit
by/challenged by the Format Conversion policy that is part of a Novell
Package (NOVLADDCFG-otp-FormatConversions and
NOVLADDCFG-itp-FormatConversions) that formats the zero to a timestamp.
In order to work around this I have tryed building a policy in Command
Transform where I set a local variable drivervise to true, and then in
Output transform i set the dest atrr val lockoutTime to zero if the
variable is equal true. This works. However. When it tracks or reads
status on the object in AD, the lockoutTime is returned NOT as zero and
is therefore triggered by the rule we ALSO had to build in Input
transform in order to listen on the lockoutTime and determine if it is
anything else than zero. Therefore it handles the event as if it was
indeed a lockout and NOT a reset of lockout.

I would like to have the described functionality without breaking
standard functionality in driver, so I has to ask if anyone has a
solution for this?

kkrasmussen's Profile: http://forums.novell.com/member.php?userid=20966
View this thread: http://forums.novell.com/showthread.php?t=450312