Updating pwdChangedTime and other operation attributes via IIQ

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

We use IBM Tivoli LDAP as one of our “sources of truth” for passwords, and that means that sometimes we want to mark a password as expired (say, because it’s just been reset by an Admin).

By default, IBM Tivoli LDAP uses the pwdReset attribute to mark a password as “admin expired”… but you only see that expiration if you pass a special value into the bind. Without it, the only thing that marks a password as expired is the pwdChangedTime attribute, by setting it to a time that’s farther in the past than the password policy we use allows. However, that pwdChangedTime attribute has high security; you can only set it manually by passing a control value in with your call.

Is there a way for IIQ to pass a control value into an LDAP call? How would you add that into a provisioning plan created by a workflow? Is there a way we can set pwdChangedTime as the expiryAttr value in LDAP (which is what pwdReset would use), and then make sure that the expiryAttr uses a specific date value (as far as I can tell, it only works with true or false at the moment)?

Below is my insight on how I solutioned a similar use-case:
I have leveraged a custom task which runs a rule wherein I will be setting the Filters and then triggering a workflow which basically invokes a PSScript on IQService now within this PSScript I have encoded third party integration code, it was OneIdentity integration. I think you can architect such a solution. I know its a really custom approach but since it is a high secrurity attribute a client would be happy if it is being invoked from within their IQService box.

1 Like

A powershell script is a pretty good idea, honestly. I’ll take a look and see if I can write one up that will handle that. Thanks!

1 Like

If the solution works, please do revert back here and mark it as a solution for future reference.


1 Like

I’m still working on that powershell script.

However, while I was working on it, I went over the LDAP documentation for Sailpoint again and found this:

  1. Enter the Password Expiry Attribute Name to update when the administrator reset operation is performed. For example, pwdReset or passwordExpirationTime
  2. Enter the Immediate Password Expiry Attribute Value to be set for the password expiry attribute when the administrator resets the password for the user. For example, set the value for pwdReset attribute to true.

The expiryAttr attribute can set pwdReset without issues. Could I use it to set pwdChangedTime? How do I set the Immediate Password Expiry Attribute Value? I tried just setting “value =” in the expiryAttr itself and still had the same issues.

Well to be honest I have only worked on the PSScript aspect when solutioning it. And I did try to scour the community posts. Which is providing no result, let me see if I can find any further references.

Additionally, you did mention originally you have set the source to be IBM Tivoli Directory have you configured another source of type OpenLDAP?


1 Like

Well I found something interesting that
pwdChangedTime is a special attribute set by the server, a so-called operational attribute. Normally this cannot be altered by a user application.

But can be modified leveraging relax rules when invoked OpenLDAP CLI maybe that would solve your usecase remember the timing should be in UTC format.

1 Like

Using the relax rules definitely works – we can simulate that with a direct call to the LDAP server in Java. I should be able to do the same thing with Powershell.

I was hoping there was a way to add the relax rules (or a control value, which is another thing LDAP would accept for this) directly into the Sailpoint provisioning call itself, but I haven’t found anything that suggests how to do that.