How to sync Password Expiration Time attribute to another Tree in Identity Manager

  • 7017524
  • 21-Apr-2016
  • 21-Apr-2016

Environment

NetIQ Identity Manager 4.5
NetIQ Identity Manager Driver - Bi-directional driver for eDirectory

Situation

How to sync Password Expiration time with the Bi-directional eDirectory Driver.

Currently on a new user add, the setting of the password will override the setting of the password expiration time from the source system.

Resolution

The following rule can sync the value. It comes in as a secondary event after the user and password are already set. It happens at the same time as the association creation for the user.

The reason for adding the CN is because the attr name is not in the LDAP namespace. Also, this rule can then be placed in the input transformation policy if desired. The variable names may be changed as desired.

< <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\netiq\idm\apps\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201601220536\DTD\dirxmlscript4.5.2.dtd"><policy>
<rule>
<description>Write Password sync timeout</description>
<conditions>
<and>
<if-operation op="equal">add-association</if-operation>
</and>
</conditions>
<actions>
<do-set-local-variable name="varPET" scope="policy">
<arg-string>
<token-dest-attr class-name="User" name="Password Expiration Time"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="varCN" scope="policy">
<arg-string>
<token-dest-attr class-name="User" name="CN"/>
</arg-string>
</do-set-local-variable>
<do-set-src-attr-value class-name="inetOrgPerson" name="passwordExpirationTime">
<arg-association>
<token-association/>
</arg-association>
<arg-value type="time">
<token-local-variable name="varPET"/>
</arg-value>
</do-set-src-attr-value>
</actions>
</rule>
</policy>

Feedback service temporarily unavailable. For content questions or problems, please contact Support.