2 Way Account Expires Rules Extension
To assist in the understanding of managing the "accountExpires" attribute in AD with the "employeeEndDate" attribute in the FIM / MIM Portal I have created supporting post to go deeper in to how to implement this below solution.
The following is C# code that can be used to build a Rules Extension to be applied to the ADMA which converts the following:
1. accountExpires attribute on a user in AD to the Employee End Date attribute in the Portal
2. Employee End Date of a user in the Portal to the accountExpires attribute in AD.
- Create the following custom attribute in the metaverse if it does not already exist
Name Attribute Type employeeEndDate Indexed String
The following code is pulled from the Rules Extension -MAExtension Post
Management Agent Attribute Flow
When setting the attribute flow be sure to verify that you are selecting the correct Flow Direction and Mapping Type of Advanced, notice the exceptionally long names to the name of the rules extension, this is not ideal but for the initial instruction of how to deploy this solution I named the function this way to assist in the understanding of the data flow from connector space to and from the Metaverse.
accountExpires <- employeeEndDate cd.user:accountExpires<-mv.person:employeeEndDate
accountExpires -> employeeEndDate cd.user:accountExpires->mv.person:employeeEndDate
in the updated example I use a much cleaner naming standard for my functions
To Convert the accountExpires attribute to the employeeEndDate in the metaverse to be exported to the FIM Portal add the following piece of code is required within the "void IMASynchronization.MapAttributesForImport" section
if (csentry["accountExpires"].IntegerValue == 0 || csentry["accountExpires"].IntegerValue == 9223372036854775807)
// This is a special condition, do not contribute and delete any current value
DateTime dtFileTime = DateTime.FromFileTime(csentry["accountExpires"].IntegerValue);
Notice the format of the DateTime that the accountExpires attribute is being converted into "yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'" Notice the 'T' , if the dtFileTime.ToString is not in this exact format the sync engine will fail to export the value to the FIM / MIM Portal. This is not the same format used for all data sources, other SQL , ORACLE, other data sources may except a wide array of date time formats but when working with the FIM / MIM Portal it has to be this format.
If you are setting the employeeEndDate in the FIM Portal and you wish to update the accountExpires attribute in Active Directory than you need to add the following code within the "void IMASynchronization.MapAttributesForExport" section
CultureInfo provider = CultureInfo.InvariantCulture;
if (mventry["accountExpires"].ToString() != "")
DateTime dtFileTime = DateTime.ParseExact(mventry["employeeEndDate"].Value, "yyyy'-'MM'-'dd'T'HH':'mm':'ss'.000'", provider);
csentry["accountExpires"].IntegerValue = dtFileTime.ToFileTime();
If you wish to be able to set the accountExpires or the employeeEndDate value from either Active Directory or the FIM Portal you will need to make this bidirectional. This can be accomplished by having both pieced of the above code in place as well as setting equal precedence in the Synchronization Service for the employeeEndDate attribute for the Peron object.
Need another example of the code Rules Extensions –Understanding Date Time Conversion Part 2