A removed value is not "available", never has been, never will be. What
you want to test is if operation attribute changing from regex .*
--

Father Ramon


Stephen wrote:
> Changing a Login Expiration in eDir moves to AD fine. However, try to
> remove the expiration date completely is fighting me. A "remove value"
> doesn't seem to trigger a "op-attr Login Expiration is available" at all:
>
> association
> state="associated">5043088a451e7e4a8fee36b93f0437f 1</association>
> <modify-attr attr-name="Login Expiration Time">
> <remove-value>
> <value timestamp="1187358420#1" type="time">1187323200</value>
> </remove-value>
> </modify-attr>
> </modify>
> </input>
> </nds>
> 09:49:22 5B366BB0 Drvrs: AD-FHD ST: Applying policy: Account Expiration.
> 09:49:22 5B366BB0 Drvrs: AD-FHD ST: Applying to modify #1.
> 09:49:22 5B366BB0 Drvrs: AD-FHD ST: Evaluating selection criteria for rule
> 'Change add to set for LoginExpirationTime'.
> 09:49:22 5B366BB0 Drvrs: AD-FHD ST: (if-class-name equal "User") = TRUE.
> 09:49:22 5B366BB0 Drvrs: AD-FHD ST: (if-op-attr 'Login Expiration Time'
> available) = FALSE.
> 09:49:22 5B366BB0 Drvrs: AD-FHD ST: Rule rejected.
>
> How can I remove the attribute (actually, change the accountExpires to a 0
> in AD) if I can't see it's change (if op-attr 'Login Expiration Time'
> available=FALSE)? I know this has worked in the past, what am I missing?
>
> Thanks,
>
>