This issue is between the IDvault and one of our AD drivers, the rule that is being kicked of by the driver to set the pwdLastSet (AD attribute) to 0 in the AD domain is being kicked off and the RemoteLoader traces see's that command and it appears to send the command to AD, but the value doesn't get set. Below I have the driver trace where it shows the rule and the driver sending the action to AD to set it to 0 and then I also have the Remote Loader trace where it appears to be doing an LDAPmod command to set it to 0 in AD, but the end result is not 0 but rather when I look at the account in AD via my LDAP browser it just has todays time stamp on the pwdLastSet attribute......any ideas why the setting of it to 0 does not appear to be sticking? Thank you,




##----------------------------------------------------------AD driver trace--------------------------------------------------------------------------
09:03:47 9996B940 Driver-Name ST: Evaluating selection criteria for rule 'Force PW reset on next login if eDir PW is expired'.
09:03:47 9996B940 Driver-Name ST: (if-class-name equal "User") = TRUE.
09:03:47 9996B940 Driver-Name ST: (if-operation not-equal "move") = TRUE.
09:03:47 9996B940 Driver-Name ST: (if-local-variable 'passwordExpired' equal "true") = TRUE.
09:03:47 9996B940 Driver-Name ST: Rule selected.
09:03:47 9996B940 Driver-Name ST: Applying rule 'Force PW reset on next login if eDir PW is expired'.
09:03:47 9996B940 Driver-Name ST: Action: do-set-dest-attr-value("pwdLastSet","0").
09:03:47 9996B940 Driver-Name ST: arg-string("0")
09:03:47 9996B940 Driver-Name ST: token-text("0")
09:03:47 9996B940 Driver-Name ST: Arg Value: "0".
09:03:47 9996B940 Driver-Name ST: Action: do-set-local-variable("passwordExpired",scope="driver","false") .
09:03:47 9996B940 Driver-Name ST: arg-string("false")
09:03:47 9996B940 Driver-Name ST: token-text("false")
09:03:47 9996B940 Driver-Name ST: Arg Value: "false".
09:03:47 9996B940 Driver-Name ST: Policy returned:
09:03:47 9996B940 Driver-Name ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="x.x">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query class-name="user" event-id="0" scope="entry">
<association>db83752f76385c4e86041e57ef13804a</association>
<read-attr attr-name="memberOf"/>
</query>
<modify class-name="user" event-id="0">
<association>db83752f76385c4e86041e57ef13804a</association>
<modify-attr attr-name="pwdLastSet">
<remove-all-values/>
<add-value>
<value type="string">0</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
09:03:47 9996B940 Driver-Name ST: Submitting document to subscriber shim:
09:03:47 9996B940 Driver-Name ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="x.x">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query class-name="user" event-id="0" scope="entry">
<association>db83752f76385c4e86041e57ef13804a</association>
<read-attr attr-name="memberOf"/>
</query>
<modify class-name="user" event-id="0">
<association>db83752f76385c4e86041e57ef13804a</association>
<modify-attr attr-name="pwdLastSet">
<remove-all-values/>
<add-value>
<value type="string">0</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
09:03:47 9996B940 Driver-Name ST: Remote Interface Driver: Sending...
09:03:47 9996B940 Driver-Name ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="x.x">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<query class-name="user" event-id="0" scope="entry">
<association>db83752f76385c4e86041e57ef13804a</association>
<read-attr attr-name="memberOf"/>
</query>
<modify class-name="user" event-id="0">
<association>db83752f76385c4e86041e57ef13804a</association>
<modify-attr attr-name="pwdLastSet">
<remove-all-values/>
<add-value>
<value type="string">0</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
09:03:47 9996B940 Driver-Name ST: Remote Interface Driver: Document sent.
09:03:47 8C550940 HI-MCG :Remote Interface Driver: Received.
09:03:47 8C550940 HI-MCG :
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20120419_120000" instance="\ADDRIVER\PATH" version="3.5.17">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance class-name="user" event-id="0" src-dn="CN=Wonderful\, Sun D.,OU=MSOC,OU=ACCOUNT,OU=DOMAIN">
<association>db83752f76385c4e86041e57ef13804a</association>
<attr attr-name="memberOf">
<value association-ref="b78c3a8587f4db4585e1f248cb1ae4a8" naming="true" type="dn">cn=group1</value>
<value association-ref="738f5b6c8d42304b98e1110748d50950" naming="true" type="dn">cn=group2</value>
</attr>
</instance>
<status event-id="0" level="success"/>
<status event-id="0" level="success"/>
</output>
</nds>
09:03:47 8C550940 HI-MCG :Remote Interface Driver: Received document for subscriber channel
09:03:47 8C550940 HI-MCG :Remote Interface Driver: Waiting for receive...
09:03:47 9996B940 Driver-Name ST: SubscriptionShim.execute() returned:
09:03:47 9996B940 Driver-Name ST:
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20120419_120000" instance="\ADDRIVER\PATH" version="3.5.17">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance class-name="user" event-id="0" src-dn="CN=Wonderful\, Sun D.,OU=MSOC,OU=ACCOUNT,OU=DOMAIN">
<association>db83752f76385c4e86041e57ef13804a</association>
<attr attr-name="memberOf">
<value association-ref="b78c3a8587f4db4585e1f248cb1ae4a8" naming="true" type="dn">cn=group1</value>
<value association-ref="738f5b6c8d42304b98e1110748d50950" naming="true" type="dn">cn=group2</value>
</attr>
</instance>
<status event-id="0" level="success"/>
<status event-id="0" level="success"/>
</output>
</nds>

##-----------------------------------------------------Remote Loader trace-----------------------------------------------------------------
DirXML: [12/27/17 08:59:37.72]: ADDriver: parse command

className user
destDN
eventId 0
association db83752f76385c4e86041e57ef13804a
DirXML: [12/27/17 08:59:37.72]: ADDriver: query
DirXML: [12/27/17 08:59:37.72]: ADDriver: query constraints
DirXML: [12/27/17 08:59:37.72]: ADDriver: query
base DN: CN=Wonderful\, Sun D.,OU=MSOC,OU=ACCOUNT,OU=DOMAIN,
filter: (objectClass=*),
return: (attribute values) objectClass, objectGUID, memberOf,
DirXML: [12/27/17 08:59:37.72]: ADDriver: query
base DN: CN=Wonderful\, Sun D.,OU=MSOC,OU=ACCOUNT,OU=DOMAIN,
filter: (objectClass=*),
return: (attribute values) objectClass, objectGUID, memberOf,
DirXML: [12/27/17 08:59:37.72]: ADDriver: ldap get next page ( 2147483647)
DirXML: [12/27/17 08:59:37.74]: ADDriver: ldap get next page ( 2147483647)
DirXML: [12/27/17 08:59:37.74]: ADDriver: parse command

className user
destDN
eventId 0
association db83752f76385c4e86041e57ef13804a
DirXML: [12/27/17 08:59:37.74]: ADDriver: parse modify class = user
DirXML: [12/27/17 08:59:37.74]: ADDriver: association
DirXML: [12/27/17 08:59:37.74]: ADDriver: db83752f76385c4e86041e57ef13804a
DirXML: [12/27/17 08:59:37.74]: ADDriver: modify-attr
DirXML: [12/27/17 08:59:37.74]: ADDriver: remove-all-values
DirXML: [12/27/17 08:59:37.74]: ADDriver: add-value
DirXML: [12/27/17 08:59:37.74]: ADDriver: value
DirXML: [12/27/17 08:59:37.74]: ADDriver: 0
DirXML: [12/27/17 08:59:37.74]: ADDriver: ldap_modify user CN=Wonderful\, Sun D.,OU=MSOC,OU=ACCOUNT,OU=DOMAIN
LDAPMod operations:
delete attribute pwdLastSet
add attribute pwdLastSet
>> 0
DirXML: [12/27/17 08:59:37.74]: Loader: subscriptionShim->execute() returned:
DirXML: [12/27/17 08:59:37.74]: Loader: XML Document:
DirXML: [12/27/17 08:59:37.74]: <nds ndsversion="8.7" dtdversion="1.1">
<source>
<product version="3.5.17" asn1id="" build="20120419_120000" instance="\ADDRIVER\PATH">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance src-dn="CN=Wonderful\, Sun D.,OU=MSOC,OU=ACCOUNT,OU=DOMAIN" class-name="user" event-id="0">
<association>db83752f76385c4e86041e57ef13804a</association>
<attr attr-name="memberOf">
<value type="dn" association-ref="b78c3a8587f4db4585e1f248cb1ae4a8" naming="true">cn=group1</value>
<value type="dn" association-ref="738f5b6c8d42304b98e1110748d50950" naming="true">cn=group2</value>
</attr>
</instance>
<status level="success" event-id="0"/>
<status level="success" event-id="0"/>
</output>
</nds>