Security

I would like to check the AD attribute "accountExpires". The value that CPPM uses has a strange format. I attached a screenshot of the value. The customer would like to block accounts (MAC auth from endpoints) which are expired.

Does anybody know how I can check if the accountExpires date compared to "now" is in the past? 

First I tried to match the attribute UserAccountControl, but that value doesn't change when the account is expired. It only changes when the account is disabled.

Hmmm, I found the answer myself.

Just use the build-in Time Source filter "Current Time MS"..

STUPID ME!!!

René Jorissen,

Could you provide a screenshot of where to add the filter? Did you add an SQL filter to the Active Directory source? Or was this added to the time source filters?

Thank you,

Josue Ruiz

Have a look at my setup.

I've also changed the LDAP search so that it will match either a SAM or the uPN

(|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))

Also note the Microsoft time is different to Linux. It is based on a 64 bit number starting in 00:00:00 January 1st 1601 (although Pope Gregory XIII actually signed the creation of the new calendar (Gregorian) on October 1582 - go figure!) in 100ms steps.

To compare to the ClearPass (Linux) you will need to use [Time Source]:Now MS time - hence you can do logical comparisons .

Hopefully the other screenshots will help.

Ah! Thank you, that makes sense now.