Monitor pwdAccountLockedTime in OpenDJ

This topic has 4 replies, 2 voices, and was last updated 6 years, 1 month ago by Brad Tumy.

  • Author
  • #4840
     Brad Tumy

    I have a mapping configured to provision users from OpenIDM –> OpenDJ. I don’t want any data pulled back into OpenIDM with the exception of the operational attribute pwdAccountLockedTime. If a user’s account is locked by OpenAM I want OpenIDM to be able to synchronize the account status with other systems.

    I have added pwdAccountLockedTime to the OpenDJ connector:

     "pwdAccountLockedTime" : {
                        "type" : "string",
                        "nativeName" : "pwdAccountLockedTime",
                        "nativeType" : "string"

    I have enabled LiveSync on the mapping so that OpenIDM can watch OpenDJ’s changelogs.

    Unfortunately, OpenIDM is not updating it’s repository when a user is locked by OpenDJ.

    I am suspecting that it’s because I don’t have that attribute in the sync.json file … seems obvious, but I am unsure how to handle that particular attribute as I do not want OpenIDM to update OpenDJ with a value for that attribute. Do I need to create a separate mapping for OpenDJ –> OpenIDM and just include the pwdAccountLockedTime attribute?

     Brad Tumy

    On further inspection … this is getting updated correctly when the user locks their account and the attribute is set … but OpenIDM doesn’t pick up the change when the password is reset and the pwdAccountLockedTime attribute is cleared.

     Mark Offutt

    Hi Brad,

    You will need to add pwdAccountLockedTime to the “attributesToSynchronize” in your provisioner because it is an ldap operational attribute:

    ` “attributesToSynchronize” : [

    Also, it also must be added to sync.json.



     Mark Offutt

    Yes, you need to have the mapping OpenDJ to OpenIDM in sync.json with the attribute specified.

    Also, there is issue with LiveSyncing operational attributes from DJ, OPENICF-420, but it does not apply to using the changelog strategy. If that is what you are using then you are good to go. Otherwise, you will need a patch.

     Brad Tumy

    Thanks for the reply Mark. I already have the attribute listed in the attributesToSynchronize directive. What is strange is that I am only seeing the attribute update when it is set with a value (user is locked). When the user is unlocked and the attribute is nulled out, OpenIDM isn’t picking up the change … even though I can see the event get added in OpenDJ’s changelog.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?