The weak synch process for ADS lowers the eTADSaccountExpires attribute


Article ID: 76855


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On


In a sync process (regardless of weak / strong) if the eTADSaccountExpires account attribute value is an expiry date (a value <> 0 and <> 9223372036854775807) and 
the account template comes as "Never Expires" (eTADSaccountExpires=0) then the sync query will request to change the account value to "Never Expires" (eTADSaccountExpires=0).
And Client does not want this change. The reason why the Client does not want this update is because their ADS proxy ID has not enough rights to perform this operation.
They just want the sync process to perform the group membership assignments.



Usually with weak synchronization, capabilities are never lowered. 
This is an exception with eTADSaccountExpires, (hence it is coded into the ADS server slapd plug-in) - since eTADSaccountExpires=0 means "Never Expires" it is stronger than any expiry date values and so the usual slapd behavior is changed into the ADS server slapd plug-in. 


Component: IDMGR


This is a workaround.
Open a LDAP browser (e.g. JXplorer) against the etadb. 
(Port: "20391" - Base DN: "dc=etadb" - User DN: "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" - DSA password) 
Go to your ADS template branch: 
eTADSPolicyName=<YourADSTemplate>,eTADSPolicyContainerName=Active Directory Policies,eTNamespaceName=CommonObjects,dc=im,dc=etadb 
Unset the eTADSaccountExpires attribute value, so that there is no value for this attribute. 
Trigger again a sync process with this weak sync template to change the groups membership. 
No try to update the eTADSaccountExpires is done.
Also if this template is used to create new accounts, they will be created as never expires.