Synchronizing Login Expiration Time with Active Directory

2 Likes
9 months ago

This is an old issue that has come up a number of times for different customers over the years. There is a great article, posted in 2010, TRULY Synching Login Expiration Time to AD, that provides great background on the root cause of the issue as well as one option to work around the problem without modifying out-of-the-box provided routines. I encourage you to read that article as well as the solution provided.

Over the years the Active Directory driver has had some tweaks to this section of code and it now handles most of the situations where 1969 dates might appear, though unfortunately not every case. After a careful analysis of the dates involved for one customer, it was decided to change the default rules provided by the out of the box solution. This path was taken so that all date translations are handled in the Input and Output Transform policy sets. This follows best practice of maintaining data translations in these policy sets to avoid complex use cases that have to be managed in Event or Command Policies. provided an excellent article, IDM Proven Practices Efficient IDM Input Output Transformation, on the reasons why this is a best practice and I encourage you to read through that article for great background on this reasoning.

With all that background established, the current out of the box rules handle most of the accountExpires to Login Expiration Date translations well, but misses a couple of cases where the date value in Active Directory is set to either "0" or "9223372036854775807". That really large value is what Active Directory uses for the Never Expires setting. In eDirectory that needs to be translated to removing any value on the attribute Login Expiration Date. If the value of 0 or the translated form of the long 64 bit value is set in Login Expiration Date, the value ends up as time 0 on Jan 1st, 1970 UTC. As my customers are in North America, they see that time as being on Dec 31st, 1969, due to the local Time Zone adjustment. If that value is then synchronized back to Active Directory, through some other event, Active Directory now holds a matching date value seen in 1969 and administrators end up getting help desk calls to fix the problem.

To address the root cause of these additional situations, the Input Transformation Policy (NOVLADDCFG-itp-FormatConversions) that has the Rule (accountExpires) handling the transformation of the accountExpires attribute needs to be modified as shown below.

For completeness the following information provides the out-of-the-box Rules for both Output and Input Transform policies from the "Active Directory Default Configuration" package "2.5.2.20180730122953". The Output Transform Rule is listed first, as the only change is to add a description describing what the Rule is doing.

Package: Active Directory Default Configuration; 2.5.2.20180730122953
Policy:      NOVLADDCFG-otp-FormatConversions
Rule:         accountExpires

Out-of-the-box Output Transform Rule:

NOVLADDCFG-otp-FormatConversions (accountExpires).png

Modified Output Transform Rule:

NOVLADDCFG-otp-FormatConversions (accountExpires-revised).png

Modified XML code for the accountExpires Rule (only the Description has changed):

<rule> <description>accountExpires: Convert to Active Directory format</description> <comment xml:space="preserve">The Identity Vault uses a 32 bit value to store certain time values while Active Directory uses a 64 bit time value. Reformat the 32 bit value to the Active Directory's 64 bit syntax.</comment> <conditions> <and> <if-op-attr name="accountExpires" op="changing"/> </and> </conditions> <actions> <do-if> <arg-conditions> <or> <if-op-attr mode="nocase" name="accountExpires" op="equal">-1</if-op-attr> <if-op-attr mode="nocase" name="accountExpires" op="equal">-2</if-op-attr> </or> </arg-conditions> <arg-actions> <do-set-dest-attr-value name="accountExpires"> <arg-value type="int"> <token-text xml:space="preserve">0</token-text> </arg-value> </do-set-dest-attr-value> </arg-actions> <arg-actions> <do-if> <arg-conditions> <and> <if-op-attr mode="regex" name="accountExpires" op="changing-to">. </if-op-attr> </and> </arg-conditions> <arg-actions> <do-reformat-op-attr name="accountExpires"> <arg-value type="octet"> <token-xpath expression="jadutil:translateEpoch2FileTime($current-value)"/> </arg-value> </do-reformat-op-attr> </arg-actions> <arg-actions> <do-set-dest-attr-value name="accountExpires"> <arg-value> <token-text xml:space="preserve">0</token-text> </arg-value> </do-set-dest-attr-value> </arg-actions> </do-if> </arg-actions> </do-if> </actions> </rule>

 

Package: Active Directory Default Configuration; 2.5.2.20180730122953
Policy:      NOVLADDCFG-itp-FormatConversions
Rule:         accountExpires

[Out-of-the-box Input Transform Rule]:

NOVLADDCFG-itp-FormatConversions (accountExpires).png

 

[Modified Input Transform Rule]

NOVLADDCFG-itp-FormatConversions (accountExpires-revised).png

 

Modified XML Code for Rule (lots of changes):

<rule> <description>accountExpires: Convert to Identity Vault time format</description> <comment xml:space="preserve">The Identity Vault uses a 32 bit value to store certain time values while Active Directory uses a 64 bit time value. Reformat the 64 bit value to fit within the vault's 32 bit syntax.</comment> <conditions> <and> <if-op-attr name="accountExpires" op="changing"/> </and> </conditions> <actions> <do-if> <arg-conditions> <and> <if-op-attr mode="nocase" name="accountExpires" op="not-equal">0</if-op-attr> <if-op-attr mode="nocase" name="accountExpires" op="not-equal">9223372036854775807</if-op-attr> </and> </arg-conditions> <arg-actions> <do-reformat-op-attr name="accountExpires"> <arg-value type="time"> <token-xpath expression="jadutil:translateFileTime2Epoch($current-value)"/> </arg-value> </do-reformat-op-attr> </arg-actions> <arg-actions> <do-strip-op-attr name="accountExpires"/> <do-if> <arg-conditions> <and> <if-operation mode="nocase" op="equal">modify</if-operation> </and> </arg-conditions> <arg-actions> <do-clear-dest-attr-value name="accountExpires"/> </arg-actions> <arg-actions/> </do-if> </arg-actions> </do-if> </actions> </rule>

 

I hope you find the above helpful in addressing the translation of accountExpires to Login Expiration Date and back between eDirectory and Active Directory.

Cheers,

D

 

Comment List
Anonymous
Related Discussions
Recommended