There is an annoying behavior of the eDir Bi-Directional Driver when it comes to Password Expiration Time and I'm wondering if anyone has come up with a better solution that I have to deal with it.
Here is the situation, identical password polices in both the vault and the target eDir tree. Password sync is one way, from vault to target tree. Password policy has "Do not expire the user's password when the administrator sets the password" UNCHECKED in both trees. So an Admin password change should immediately expire the password in both trees. Password expiration is set to 1 year.
Engine Control value "Use Password event values" is set to false, which I think is default.
User changes password using SSPR against vault. Password expire in vault is properly set to 1 year out, but in the target tree, it is IMMEDIATELY expired. This is no good.
Change "Use Password event values" to TRUE. Now user changes password via SSPR and the password expiration time in both trees is the same. Great. HOWEVER, if I make an Admin password change to the user using iManager in the vault, the password in the vault is immediately expired, BUT the password in the target tree is still set to expire in a year. This is no good.
Setting "Do not expire the user's password when the administrator sets the password" is not acceptable.
The only way around this I have found is to catch the modify-password event in the output transform, go read the password expiration from the vault, and write it back to the target tree, overwriting what gets set when the password is sync'd and changed in the target tree.
Has anyone come up with a better way to handle this? I have not tested bi-directional password sync, but I think the same problem happens in the opposite direction too.
The legacy driver never had this problem, so I'm surprised after all these years no one has run into this? Or what am I missing?