How to sync Password Expiration Time attribute to another Tree in Identity Manager

  • 7017524
  • 21-Apr-2016
  • 21-Apr-2016


NetIQ Identity Manager 4.5
NetIQ Identity Manager Driver - Bi-directional driver for eDirectory


How to sync Password Expiration time with the Bi-directional eDirectory Driver.

Currently on a new user add, the setting of the password will override the setting of the password expiration time from the source system.


The following rule can sync the value. It comes in as a secondary event after the user and password are already set. It happens at the same time as the association creation for the user.

The reason for adding the CN is because the attr name is not in the LDAP namespace. Also, this rule can then be placed in the input transformation policy if desired. The variable names may be changed as desired.

< <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\netiq\idm\apps\Designer\plugins\com.novell.idm.policybuilder_4.0.0.201601220536\DTD\dirxmlscript4.5.2.dtd"><policy>
<description>Write Password sync timeout</description>
<if-operation op="equal">add-association</if-operation>
<do-set-local-variable name="varPET" scope="policy">
<token-dest-attr class-name="User" name="Password Expiration Time"/>
<do-set-local-variable name="varCN" scope="policy">
<token-dest-attr class-name="User" name="CN"/>
<do-set-src-attr-value class-name="inetOrgPerson" name="passwordExpirationTime">
<arg-value type="time">
<token-local-variable name="varPET"/>