The weak synch process for ADS lowers the eTADSaccountExpires attribute

Document ID : KB000076855
Last Modified Date : 10/04/2018
Show Technical Document Details
Issue:
In a sync process (regardless of weak / strong) if the eTADSaccountExpires account attribute value is an expiry date (a value <> 0 and <> 9223372036854775807) and 
the account template comes as "Never Expires" (eTADSaccountExpires=0) then the sync query will request to change the account value to "Never Expires" (eTADSaccountExpires=0).
And Client does not want this change. The reason why the Client does not want this update is because their ADS proxy ID has not enough rights to perform this operation.
They just want the sync process to perform the group membership assignments.



 
Cause:
Usually with weak synchronization, capabilities are never lowered. 
This is an exception with eTADSaccountExpires, (hence it is coded into the ADS server slapd plug-in) - since eTADSaccountExpires=0 means "Never Expires" it is stronger than any expiry date values and so the usual slapd behavior is changed into the ADS server slapd plug-in. 
 
Resolution:
This is a workaround.
Open a LDAP browser (e.g. JXplorer) against the etadb. 
(Port: "20391" - Base DN: "dc=etadb" - User DN: "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" - DSA password) 
Go to your ADS template branch: 
eTADSPolicyName=<YourADSTemplate>,eTADSPolicyContainerName=Active Directory Policies,eTNamespaceName=CommonObjects,dc=im,dc=etadb 
Unset the eTADSaccountExpires attribute value, so that there is no value for this attribute. 
Trigger again a sync process with this weak sync template to change the groups membership. 
No try to update the eTADSaccountExpires is done.
Also if this template is used to create new accounts, they will be created as never expires.