Has anyone seen the following?

I am syncing login expiration time in EDIR to accountexpires in AD.

If I set an expiration time, all works well. However if I unexpire the
account, the account remains expired.

The accountexpires attribute is being set to -1. This should be 0 or
9223372036854775807 according to msoft (which is presumably the end of the

The prob would seem to be in the Output transformation - time conversion
policy. To resolve the prob, I have modified

- <xsl:if test="not(add-value)">
- <add-value>
- <value type="string">18446744073709551615</value>
- </add-value>


- <xsl:if test="not(add-value)">
- <add-value>
- <value type="octet">9223372036854775807</value>
- </add-value>

This does now unexpire the AD account correctly, however I am unsure if
this may have a negative impact elsewhere - Looking for a bit of
reassurance I guess