Use ADS_SYNC_BYPASS to avoind eTADSaccountExpires sync

book

Article ID: 76855

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Portal

Issue/Introduction

In a sync process (regardless of weak / strong) if the eTADSaccountExpires account attribute value is an expiry date (a value <> 0 and <> 9223372036854775807) and 
the account template comes as "Never Expires" (eTADSaccountExpires=0) then the sync query will request to change the account value to "Never Expires" (eTADSaccountExpires=0).
And Client does not want this change. The reason why the Client does not want this update is because their ADS proxy ID has not enough rights to perform this operation.
They just want the sync process to perform the group membership assignments.



 

Cause

Usually with weak synchronization, capabilities are never lowered. 
This is an exception with eTADSaccountExpires, (hence it is coded into the ADS server slapd plug-in) - since eTADSaccountExpires=0 means "Never Expires" it is stronger than any expiry date values and so the usual slapd behavior is changed into the ADS server slapd plug-in. 
 

Environment

Release: 14.x
Component: IDMGR

Resolution

There are few options to bypass the sync of eTADSaccountExpires:

First option:
The ADS_SYNC_BYPASS should be set on both the C++ Connector Server service and on the Provisioning Server (IMPS).

If the Provisioning Server is running on Linux you would need to set the variable in the profile of the ID used to start the Provisioning Server.

With VAPP, for example, you would do the following:

1. Log into the vapp with config user
2. su - imps
3. vi /etc/.profile_imps
4. add the export ADS_SYNC_BYPASS=AttributeName1;AttributeName2;
5. exit out of the su - imps
6. stop_ps
7. start_ps

On the External Windows C++ Connector Server you would do the following:
1. Go to Computer Advanced Settings
2. Add the System Environment Variable ADS_SYNC_BYPASS=eTADSaccountexpires;
3. Stop the JCS and CCS
4. Start the JCS and CCS

Second option:
Manually adjusting the account template:
Open a LDAP browser (e.g. JXplorer) against the etadb. 
(Port: "20391" - Base DN: "dc=etadb" - User DN: "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" - DSA password) 
Go to your ADS template branch: 
eTADSPolicyName=<YourADSTemplate>,eTADSPolicyContainerName=Active Directory Policies,eTNamespaceName=CommonObjects,dc=im,dc=etadb 
Unset the eTADSaccountExpires attribute value, so that there is no value for this attribute. 
Trigger again a sync process with this weak sync template to change the groups membership. 
No attempt to update the eTADSaccountExpires is made. In addition, if this template is used to create new accounts, they will be created as never expires. 

Additional Information

https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MessageKey=644c2991-2eb7-4341-b211-28ecccd8668e#bm4c1adf2a-6a24-4be9-8d2e-91c27a38ba26