I have a site that is syncing the Login Expiration Time bi-directionally
between their vault and AD. I started noticing some really odd login
expiration times in eDir, so I investigated. It appears that the
default conversion rule in the input transform is NOT converting
properly.

For example, I saw this come through:

<add-attr attr-name="accountExpires">
<value naming="false" type="string">159394408940000000</value>
</add-attr>

That should convert to Sun, 07 Feb 2106 06:28:14 GMT I think (although
ADUC shows it as Feb 6th).

But this is the result:

[01/30/17 15:57:51.005]:AD=> PT: Applying rule 'accountExpires:
Convert to Identity Vault time format'.
[01/30/17 15:57:51.005]:AD=> PT: Action:
do-reformat-op-attr("accountExpires",token-xpath("jadutil:translateFileTime2Epoch($current-value)")).
[01/30/17 15:57:51.005]:AD=> PT:
arg-string(token-xpath("jadutil:translateFileTime2Epoch($current-value)"))
[01/30/17 15:57:51.005]:AD=> PT:
token-xpath("jadutil:translateFileTime2Epoch($current-value)")
[01/30/17 15:57:51.005]:AD=> PT: Token Value: "4294967294".
[01/30/17 15:57:51.005]:AD=> PT: Arg Value: "4294967294".


And that results in the value in eDir being set to a crazy time:

12/31/1969, 6:59:58 PM

Or in LDAP: loginExpirationTime: 21060207062814Z


I looked at this driver and it appears to be using the latest packages,
here is the conversion rule:

<rule>
<description>accountExpires: Convert to Identity Vault time
format</description>
<comment xml:space="preserve">The Identity Vault uses a 32 bit value
to store certain time values while Active Directory uses a 64 bit time
value. Reformat the 64 bit value to fit within the vault's 32 bit
syntax.</comment>
<conditions>
<and/>
</conditions>
<actions>
<do-reformat-op-attr name="accountExpires">
<arg-value type="time">
<token-xpath
expression="jadutil:translateFileTime2Epoch($curre nt-value)"/>
</arg-value>
</do-reformat-op-attr>
</actions>
</rule>
<rule>


Which I think hasn't changed in a long long time.

So I'm confused as to what is going on here. Any ideas?

This is IdM 4.5 SP5 on SLES 11 SP4, AD Driver 4.0.2.0, eDir 20810.20.

Thanks.


Matt


--
matt
------------------------------------------------------------------------
matt's Profile: https://forums.netiq.com/member.php?userid=183
View this thread: https://forums.netiq.com/showthread.php?t=57282