IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  GeneralizedTime to Ephoc time format conversion in InfoMap

    Posted Fri May 07, 2021 09:05 AM

    Hi

    In ISAM LDAP schema, the SecUser's secPwdLastChanged attribute is formatted in the "Generalized Time" format.

    V3.ibm.at:attributetypes=( 1.3.6.1.4.1.4228.1.19 NAME 'secPwdLastChanged' DESC 'secPwdLastChanged' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 USAGE userApplications )

    I need to convert this value to an Ephoc time format to allow for trivial time comparison.

    Would anyone know if the Appliance comes pre-equipped with any such JS helper method somewhere or mind sharing code snippets ?


    My intent is from an InfoMap to determine the last time an authenticated user changed his/her password (var last_pwd_changed = user.getAttribute("secPwdLastChanged"); ) and take some arbitrary action.

    Thanks



    ------------------------------
    Sylvain Gilbert
    ------------------------------


  • 2.  RE: GeneralizedTime to Ephoc time format conversion in InfoMap

    Posted Mon May 10, 2021 06:27 AM
    Edited by Jon Harry Mon May 10, 2021 06:28 AM
    Hi Sylvain,

    Looking at JavaScript, it seems there is a built-in Date class which can accept ISO8601 time format in constructor.
    ISO8601 is similar to LDAP Generalized time except that it includes some separators.
    It also has a valueOf() function that will return the epoch version.

    I built this test code (only tested in Node.js - hopefully it can work in Verify Access):

    //For reference: "2011-10-05T14:48:00.000Z";

var gt = "20210414110900.0Z";

var iso = gt.substr(0,4)
          + "-" + gt.substr(4,2)
          + "-" + gt.substr(6,2)
          + "T" + gt.substr(8,2)
          + ":" + gt.substr(10,2)
          + ":" + gt.substr(12);

console.log(iso);

var date = new Date(iso);

console.log(date);
console.log(date.valueOf());​


    Jon.


    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: GeneralizedTime to Ephoc time format conversion in InfoMap

    Posted Wed May 12, 2021 08:56 AM
    Edited by Sylvain Gilbert Wed May 12, 2021 08:57 AM
    Thanks Jon

    Here is the working code I came up with to force redirect from an InfoMap the user if his password is older than a certain threshold (ttl) value in days:

    function generalizedTime2iso(gt)
    {
    // For reference iso format: "2011-10-05T14:48:00.000Z";
        return gt.substr(0,4) + "-" + gt.substr(4,2) + "-" + gt.substr(6,2) + "T" + gt.substr(8,2) + ":" + gt.substr(10,2) + ":" + gt.substr(12,2);
    }
    var last_pwd_changed_iso = generalizedTime2iso(last_pwd_changed);
    var last_pwd_changed_ephoc = new Date(last_pwd_changed_iso).valueOf();
    var now_ephoc = new Date().valueOf();
    let last_pwd_changed_threshold = now_ephoc - Number(profile_management_ttl) * 86400;
    if (last_pwd_changed_threshold > last_pwd_changed_ephoc)
    {
        context.set(Scope.SESSION, "urn:ibm:security:asf:response:token:attributes", "itfim_override_targeturl_attr", profile_management_url);
    }

    Some ref on this subject: https://philipnye.com/2017/12/14/redirect-after-login-from-infomap-or-authsvc-policy/

    Thanks

    ------------------------------
    Sylvain Gilbert
    ------------------------------

    Original Message


Related Content