Environment
Novell eDirectory 8.8 SP6 for All Platforms
Novell eDirectory 8.8 SP5 for All Platforms
Identity Manager 3.6.1Identity Manager 4.0
Identity Manager 4.0.1
Identity Manager Roles Based Provisioning Module 3.6.1
Identity Manager Roles Based Provisioning Module 3.7
Identity Manager Roles Based Provisioning Module 4.0
Identity Manager Roles Based Provisioning Module 4.0.1
Situation
Issue starts after applying any of the patches below:
eDirectory 8.8 SP6 Patch 4
eDirectory 8.8 SP6 Patch 3
eDirectory 8.8 SP6 Patch 2
eDirectory 8.8 SP5 Patch 6
New delegation and proxy assignments cannot be created if a user selects "no expiration". Error: -613 is returned when submitting it.
All delegation and proxy assignments that were created prior to applying the patch where "no expiration" was used are now expired.
Previous "My Delegate Assignments" and "My Proxy Assignments" with "no expiration" specified are not shown by RBPM.
Error: CONSTRAINT_VIOLATION when attempting to set a time after December 31, 2037 at 23:59:59 via LDAP.
Dstrace shows: Invalid GeneralizedTime syntax and NDS error: syntax violation (-613)
Resolution
When storing a time value using the SYN_TIME syntax, eDirectory converts the time to the total number of UTC seconds since midnight, January 1, 1970. As this is a 32 bit un-signed integer this results in an available date range of 1970-2106. Though natively stored using the first 31 bits the most significant bit (MSB) was left to the application to interpret.
For example, LDAP interprets SYN_TIME to be a positive integer with the MSB indicating dates after 2037. iManager uses the MSB to indicate dates prior to 1970. This resulted in a disparity between LDAP's allowed date ranges (1970-2106) and iManager's (1903-2037).
For example, LDAP interprets SYN_TIME to be a positive integer with the MSB indicating dates after 2037. iManager uses the MSB to indicate dates prior to 1970. This resulted in a disparity between LDAP's allowed date ranges (1970-2106) and iManager's (1903-2037).
In order to maintain consistency between eDirectory's tools a change was made in the aforementioned patches to align iManager's and LDAP's interpretation of the date value stored in eDirectory. This change, however, affected RBPM customers who have and are creating delegation or proxy assignments when selecting " no expiration " prior to submitting the request. Those assignments already created in this way, after applying these patches, will appear to be expired. Those attempted to be created will fail.
When no expiration is set the value set is 12/31/2099. As this is outside the new enforced range a -613 error is returned on submittal. Those proxy or delegations assignments already assigned prior to the patch with the 2099 time value are now interpreted to be 1963 thereby expiring the account assignment.
For the standalone eDirectory versions 8.8.5 and 8.8.6 a hot fix is available, which can be found on the download.novell.com site. Otherwise our latest versions of eDirectory can be found on https://dl.netiq.com.
The following fixes apply:
eDirectory 8.8 SP6 Patch 4 Hotfix1 for All Platforms
eDirectory 8.8 SP5 Patch6 Hotfix1 for All Platforms
The following fixes apply:
eDirectory 8.8 SP6 Patch 4 Hotfix1 for All Platforms
eDirectory 8.8 SP5 Patch6 Hotfix1 for All Platforms
Additional Information
The "Role Based Provisioning Module" server.log shows the following:
11:35:13,799 ERROR [VirtualDataAccess] Ldap error creating object:cn=055ddf4723a341c787d72d759f33dba6,cn=DelegateeDefs,cn=AppConfig,cn=UserApplication,cn=Driverset,ou=Services,o=NTS.
Error: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code
19 - NDS error: syntax violation (-613)]; remaining name
'cn=055ddf4723a341c787d72d759f33dba6,cn=DelegateeDefs,cn=AppConfig,cn=UserApplication,cn=Driverset,ou=Services,o=NTS