IdM 5.5 and AD accountExpires attribute
Hi experts.
has anyone used IdM to maintain AD accounts via the accountExpires attribute by seting and reseting the accountExpires value.
A customer has an AD admin who uses this attribute extensively to "auto-disable" accounts at various times in the future.
The standard AD adapter schema map doesnt seem to include accountExpires
If anyone out there has experience of this attribute and how it is best handled please let us know what things to watch out for.
[493 byte] By [
greenfan88] at [2007-11-26 8:27:01]
# 1
Hellos,
surprised noone has met/used this Attribute before, but..
I am no java programmer. I have only written one java program and that was 3 years ago reading CRLs from an LDAP directory. java has a nice set of X509 classes... about the only useful stuff java has.
Anyway, I have a java function that takes in the accountExpires value as a long and returns a java Date object. Nothing special...
public static Date adExpiresToDate(long accountExpiresL)
{
Calendar calendar = Calendar.getInstance();
calendar.clear();
calendar.set(1601, 0, 1, 0, 0);
accountExpiresL = accountExpiresL / 10000 + calendar.getTime().getTime();
return new Date(accountExpiresL);
}
My problem is twofold.
1. All the dates etc are based on a number of timeunits since a timeStamp in the past. e.g. Unix/java Jan 1st 1970 00:00:00 GMT and AD Jan 1st 1601 00:00:00 GMT
But what is my calendar's timezone? - need I adjust the calendar if my local timezone is not GMT?
2. How do I get this sort of java function into an IdM rule so I can use it?
# 2
From FAQs:
You will need to make the appropriate entries in your resource schema and
corresponding user forms.
1) Add an entry into your Active Directory schema named "accountExpires"
2) Below are sample fields that provide a select list for number of days to
expire an account and the actual field that sets the value that needs to get
pushed to Active Directory:
<Field name='numberDaysTillExpire' type='string' displaytype='select'>
<Display class='Select'>
<Property name='title' value='Days till account expire on AD'/>
<Property name='allowedValues'>
<expression>
<list>
<s>Never</s>
<s>7</s>
<s>30</s>
<s>120</s>
<s>180</s>
<s>365</s>
</list>
</expression>
</Property>
</Display>
</Field>
<Field name='accounts[AD].accountExpires'>
<Expansion>
<cond>
<notnull>
<ref>numberDaysTillExpire</ref>
</notnull>
<script>
// these calculations are based on a document in MSDN
// titled "Converting a time_t Value to a File Time"
// I do these without 4 trailing zeros to prevent
// printout of using "computerized scientific notation."
var t = java.lang.System.currentTimeMillis();
// add difference between normal time based on 1/1/1970
// and MS time based on 1/1/1601
t += 11644473600000;
var numberDays = env.get('numberDaysTillExpire');
// The formula used to calculate the below values:
// (7 day example) 7*24*60*60*1000
if (numberDays.equals("Never"))
t = 0;
else if (numberDays.equals("7"))
t += 604800000;
else if (numberDays.equals("30"))
t += 2592000000;
else if (numberDays.equals("120"))
t += 10368000000;
else if (numberDays.equals("180"))
t += 15552000000;
else if (numberDays.equals("365"))
t += 31536000000;
// add back 4 zeros and cast to a string
t + "0000";
</script>
</cond>
</Expansion>
</Field>
# 3
greenfan,Drop me an email - think i got exactly what you need. Did an implementation to deal with the accountExpires attribute a few days ago that is slightly more flexible than what the FAQ gives you./A
# 4
Hi greenfan,
I worked on some time back , but was not able to finish my task , yet working on it.
SO here is some thing if it helps you, If you AD value (FILETIME, value since 1600) and you want to convert this in to your local date , use this code, this will work fine
// this value is last pwd set for a user.
long pwdLastSet = Long.parseLong("127959034858630488");
long javaTime = pwdLastSet - 0x19db1ded53e8000L;
javaTime /= 10000;
Date today = new Date(javaTime);
SimpleDateFormat sdf2 = new SimpleDateFormat("MM/dd/yyyy HH:mm:ss");
String newDateString = sdf2.format(today);
System.out.println("Date When Password Last Set :"+newDateString);
And if you want password expiration date for that user just
add 385 days to that which is standard maxpwdage in AD.
The other stuff for me is, If you are still working on this , I have few questions regarding similiar stuff, In IDM , when a users password is
reset I am getting 0 in pwdlastset.
Any idea.
Thanks,
pandu
# 5
So its in the FAQ.
Shame on whoever wrote the answer though.
Point 1.
Add an entry on the schema map for accountExpires.
hmmmm. what do the chars <-> mean on the schema map? My guess is that the attribute data flows 2 ways. from IdM to AD *and* from AD to IdM. So why does the FAQ only bother to SET the AD attribute... dont we care about changes in this attribute made by AD admins?
In fact the most challenging aspect is to convert the MS timeStamp into something that can be meaningfully displayed on the screen via the IdM form.
Point 1.5
Maybe some future version of idM may allow us to select which schema mapped attributes we wish to see as read/write <-> or read only from resource <- or write only from IdM to resource ->
Point 2.
The timeStamp set in accountExpires should be midnight on date picked/selected not a simplistic adjustment from the current timeStamp when you click the save button.
