Setting logonHours to Active Directory in IIQ

Which IIQ version are you inquiring about?

[IIQ 8.4]

Based on some business logic, I would like to set logon hours as 0 (users are not allowed to log on at any day/time) and allow logon at all times/days in Active Directory for the users.

my question is, does the AD connector support this(logonHours) attribute directly?
If yes, how do you set them? I understand we need to put them in binary/bytes values.

 byte[] logonHours = new byte[21];
 for (int i = 0; i < logonHours.length; i++) {
      logonHours[i] = (byte) 0xFF;
    }
 accountRequest.add(new AttributeRequest("logonHours", ProvisioningPlan.Operation.Add, logonHours));

But this code did not work. Any help on this will appreciated.

Thanks,
@SivaLankapalli

Yes SailPoint connector supports logonHours as long its enabled on AD and service id have permission to update it.

Thanks for the confirmation.
I see this will accept 21 bytes in AD. Are there any different sending bytes in the request object? If so, you will be able to provide me with a sample. The code I provided does not throw an exception or save on the AD target.

Thanks

you can use after create nativerule and write the poweshell commands to set logonHours. sample poweshell Setting a users logon hours | Richard Siddaway's Blog you need to convert this in sailpoint identityiq nativerule

Thanks, @HemantSingh. I will check and post here.

Thanks,
@SivaLankapalli

Hi @HemantSingh,
Why do we need to create a separate native rule using PowerShell if this attribute is already supported through the Active Directory direct connector? This has just created confusion.

Any thoughts on this?

I tried earlier using OOTB attribute in AD connector, but it didn’t work. So used Native Rule, Connector After Create Rule which will trigger a PowerShell script. PowerShell script will set logon hours. You can check with AD team, they can assist you.

I have not used this but AD connector supports all AD attributes which not automatically calculated of ADs so it should support this too.
You can try the Set operations instead of Add and see how it behaves.
Do you see any error while setting logonHours? Or may be enable IQService log to see if there’s any error.

Otherwise only way is to use the nativeRule.

Hello everyone, I tested the direct AD connector and found it unsupported. Therefore, I opted for the JNDI approach to set the logonHours in Active Directory. I ensured I got the AD context securely using LDAPS.)

DirContext ctx = null;
    try{
      // Invoke the method to get the AD connection securely(ldaps) by application name
      ctx = getActiveDirectoryConnByApp(applicationName);
      if(ctx != null){
        ModificationItem[] modificationItem = new ModificationItem[1];
        if(isDisableLogon){
          //Prepare the modification items for the logonHours attribute to block all hours
          byte[] disableLogon = new byte[21];
          Arrays.fill(disableLogon, new Byte("0"));
          modificationItem[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE,
                                                     new BasicAttribute("logonHours", disableLogon));
        }else{
          //Prepare the modification items for the logonHours attribute to unbloack all hours/setting logonHours as full
          byte[] enableLogon = new byte[21];
          Arrays.fill(enableLogon, new Byte("-1"));
          modificationItem[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE,
                                                     new BasicAttribute("logonHours", enableLogon));
        }
        // Apply the modification to the specified account
        ctx.modifyAttributes(accountDN, modificationItem);
        responseCode = "SUCCESS";
      }else{
        log.info(" Directory Context is null while updating logonHours with the distinguished name (DN): " + accountDN + ", with isDisableLogon flags set to: " + isDisableLogon + ", for the application: " + applicationName );
        responseCode = "Unable to establish a connection to " + applicationName;
      }
    }catch(Exception e) {
      log.error("An error occurred while updating the logonHours for the account in the Active Directory with the distinguished name (DN): " + accountDN + ", with isDisableLogon flags set to: " + isDisableLogon + ", for the application: " + applicationName + " and the error message is --> " + e.getMessage());
      responseCode = e.getMessage();
    }finally{
      try{
        ctx.close();
      }catch(Exception e){ 
        log.error("An error occurred while closing connection the Active Directory with the distinguished name (DN): " + accountDN + ", with isDisableLogon flags set to: " + isDisableLogon + ", for the application: " + applicationName + " and the error message is --> " + e.getMessage());
        responseCode = e.getMessage();
      }
    }

Thanks,
@SivaLankapalli