Groups > Novell > Identiry Manager Engine drivers > Re: eDir <-> AD lastLogon HELP!




eDir <-> AD lastLogon HELP!

eDir <-> AD lastLogon HELP!
Mon, 12 May 2008 06:36:01 GMT 
Hi guys,

I have a problem.

Im wanting to sync the AD attribute lastlogontimestamp back to eDir
(because ive read the "lastlogon" attribute is only updated on the DC
you log into.)

lastlogontimestamp is documented only to update every 14 days but
apparently i can change the value of msDS-LogonTimeSyncInterval to fix
this.

The problem is the time.
Im guessing this wont work because of the time differences between eDir
and AD. Attributes like accountExpires seem to have code built into the
driver to handle this time conversion. 

Is there anyway we can convert this attribute so we can see which
accounts are TRULY inactive by reporting on our eDir Tree?

Has anyone else tried to do this?

Were using DirXML 2.0.1

Anyhelp would be great!

cheers,

Jim


-- 
forrrestj
------------------------------------------------------------------------
forrrestj's Profile: http://forums.novell.com/member.php?userid=10698
View this thread: http://forums.novell.com/showthread.php?t=327477
Post Reply
Re: eDir <-> AD lastLogon HELP!
Mon, 12 May 2008 13:40:38 GMT 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Timestamps, as long as they all use the same method as the ones that do
synchronize, can all be converted.  As I recall MAD uses the number of
hundreds-of-nanoseconds since 1601 or something random like that vs.
what the rest of the computing world uses (number of seconds since the
Unix Epoch (1970-01-01)).  There is a time conversion function that
ships with IDM that you can use for anything matching this format.  The
function(s) you are looking for are, I believe, in the Input/Output
Transformation policysets on the default MAD driver.

Good luck.





forrrestj wrote:
| Hi guys,
|
| I have a problem.
|
| Im wanting to sync the AD attribute lastlogontimestamp back to eDir
| (because ive read the "lastlogon" attribute is only updated on the
DC
| you log into.)
|
| lastlogontimestamp is documented only to update every 14 days but
| apparently i can change the value of msDS-LogonTimeSyncInterval to fix
| this.
|
| The problem is the time.
| Im guessing this wont work because of the time differences between eDir
| and AD. Attributes like accountExpires seem to have code built into the
| driver to handle this time conversion.
|
| Is there anyway we can convert this attribute so we can see which
| accounts are TRULY inactive by reporting on our eDir Tree?
|
| Has anyone else tried to do this?
|
| Were using DirXML 2.0.1
|
| Anyhelp would be great!
|
| cheers,
|
| Jim
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIKEjU3s42bA80+9kRAmvxAKCAX5xJGqJe9iRdCmdQdpqkVNEA5ACeMA5z
417ePypL8mBQRVzaiFkswP4=
=F2qY
Post Reply
Re: eDir <-> AD lastLogon HELP!
Tue, 13 May 2008 00:06:01 GMT 
Thanks,

ok so heres the Policy, Do i just need to add lastlogontimestamp to the
node set and this will work?

My apoligies im not a coder....


<?xml version="1.0"
encoding="UTF-8"?><xsl:stylesheet
exclude-result-prefixes="query cmd dncv exsl madutil"
version="1.0"
xmlns:cmd="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.Xds
CommandProcessor"
xmlns:dncv="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.DN
Converter"
xmlns:exsl="http://exslt.org/common"
xmlns:madutil="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver
.ad.util.Utilities"
xmlns:query="http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.X
dsQueryProcessor"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
	<!-- List of attributes where the filetime conversion policy is to be
applied. -->
	<!-- With this policy, AD attributes using the Interval syntax (a 64
bit       -->
	<!-- integer representing time since jan 1, 1601) are converted to the
eDir    -->
	<!-- Time syntax (a 32 bit integer representing time since Jan 1,
1970).       -->
	<xsl:variable name="filetime-policy-attributes">
		<attr-name>accountExpires</attr-name>
		<attr-name>lockoutTime</attr-name>
	</xsl:variable>
	<!-- filetime policy attributes as a node set -->
	<xsl:variable name="filetime-policy-list"
select="exsl:node-set($filetime-policy-attributes)/attr-name/text()"/&
gt;
	<!-- apply text conversion policies -->
	<xsl:template match="value">
		<!-- for a value, the attribute name is either on the parent or the
parent's parent -->
		<xsl:variable name="attrname"
select="concat(string(../@attr-name),string(../../@attr-name))"/>
		<xsl:choose>
			<!-- apply userPrincipalName conversion policy -->
			<xsl:when test="$attrname = 'userPrincipalName'">
				<xsl:comment>userPrincipalName conversion policy</xsl:comment>
				<xsl:copy>
					<xsl:apply-templates select="@*"/>
					<xsl:choose>
						<xsl:when test="contains(., '@')">
							<xsl:value-of select="substring-before(., '@')"/>
						</xsl:when>
						<xsl:otherwise>
							<xsl:value-of select="."/>
						</xsl:otherwise>
					</xsl:choose>
				</xsl:copy>
			</xsl:when>
			<xsl:otherwise>
				<!-- copy all values without a policy through -->
				<xsl:copy>
					<xsl:apply-templates select="node()|@*"/>
				</xsl:copy>
			</xsl:otherwise>
		</xsl:choose>
	</xsl:template>
	<!-- identity transformation template -->
	<!-- in the absence of any other templates this will cause -->
	<!-- the stylesheet to copy the input through unchanged to the output
-->
	<xsl:template match="node()|@*">
		<xsl:copy>
			<xsl:apply-templates select="@*|node()"/>
		</xsl:copy>
	</xsl:template>
</xsl:stylesheet>


-- 
forrrestj
------------------------------------------------------------------------
forrrestj's Profile: http://forums.novell.com/member.php?userid=10698
View this thread: http://forums.novell.com/showthread.php?t=327477
Post Reply
about | contact