I have a site that is syncing the Login Expiration Time bi-directionally
between their vault and AD. I started noticing some really odd login
expiration times in eDir, so I investigated. It appears that the
default conversion rule in the input transform is NOT converting

For example, I saw this come through:

<add-attr attr-name="accountExpires">
<value naming="false" type="string">159394408940000000</value>

That should convert to Sun, 07 Feb 2106 06:28:14 GMT I think (although
ADUC shows it as Feb 6th).

But this is the result:

[01/30/17 15:57:51.005]:AD=> PT: Applying rule 'accountExpires:
Convert to Identity Vault time format'.
[01/30/17 15:57:51.005]:AD=> PT: Action:
[01/30/17 15:57:51.005]:AD=> PT:
[01/30/17 15:57:51.005]:AD=> PT:
[01/30/17 15:57:51.005]:AD=> PT: Token Value: "4294967294".
[01/30/17 15:57:51.005]:AD=> PT: Arg Value: "4294967294".

And that results in the value in eDir being set to a crazy time:

12/31/1969, 6:59:58 PM

Or in LDAP: loginExpirationTime: 21060207062814Z

I looked at this driver and it appears to be using the latest packages,
here is the conversion rule:

<description>accountExpires: Convert to Identity Vault time
<comment xml:space="preserve">The Identity Vault uses a 32 bit value
to store certain time values while Active Directory uses a 64 bit time
value. Reformat the 64 bit value to fit within the vault's 32 bit
<do-reformat-op-attr name="accountExpires">
<arg-value type="time">
expression="jadutil:translateFileTime2Epoch($curre nt-value)"/>

Which I think hasn't changed in a long long time.

So I'm confused as to what is going on here. Any ideas?

This is IdM 4.5 SP5 on SLES 11 SP4, AD Driver, eDir 20810.20.



matt's Profile: https://forums.netiq.com/member.php?userid=183
View this thread: https://forums.netiq.com/showthread.php?t=57282