[midPoint] Lock account using pwdAccountLockedTime on OpenLDAP

[Jeria, Esteban]

Hi,



I'm trying to configure a simulated capability to manage the status for an account on OpenLDAP using the attribute pwdAccountLockedTime.
Normally, a value "000001010000Z" means that the account is permanently locked and the absence of that attribute means the account is normal.



  <cap:activation>
    <cap:status>
      <cap:attribute>ri:pwdAccountLockedTime</cap:attribute>
      <cap:enableValue/>
      <cap:disableValue>000001010000Z</cap:disableValue>
    </cap:status>
  </cap:activation>



However, midPoint seems to reject these values.
When I enable a user, the attribute should be removed, but I get this error:
 For input string: "": For input string: "": For input string: "": For input string: ""



And when I disable a user, I get that error:
 For input string: "000001010000Z": For input string: "000001010000Z": For input string: "000001010000Z": For input string: "000001010000Z"



I do not know if it is relevant, but according to the LDAP schema, the value must be of type "GeneralizedTime" but midPoint handle it as a "long" and seems to interpret the value entered as string because of the character "Z".
Any other numeric value (without "Z") is accepted and is converted to a date on OpenLDAP side.





Esteban Jeria

esteban.jeria at cgi.com<mailto:esteban.jeria at cgi.com>
Conseiller CGI / CGI Consultant

Sécurité - Gestion des Identités et des Accès / Security - Identity and Access Management
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190425/3e49bd30/attachment.htm>