RFC 4517 says:

If a time is specified with the minutes or seconds absent, then the number of minutes or seconds (respectively) is assumed to be zero.

Are you saying that Tivoli Directory Server V6.2 requires the seconds to be present?

(In reply to comment #1)
> RFC 4517 says:
> If a time is specified with the minutes or seconds absent, then the
> number of minutes or seconds (respectively) is assumed to be zero.
> Are you saying that Tivoli Directory Server V6.2 requires the seconds
> to be present?

Yes Todd , 

As you can see , i'm adding sudoNotBefore for a sudo role, with the format yyyymmddHHMMZ 
dn: cn=testsudo,ou=SUDOers,cn=aixdata,ou=testaixsystems,dc=tapue,dc=com
changetype: modify
replace: sudoNotBefore
sudoNotBefore: 201105251632Z

Operation 0 modifying entry cn=testsudo,ou=SUDOers,cn=aixdata,ou=testaixsystems,dc=tapue,dc=com
ldap_modify: Invalid syntax

It gave me the error of invalid syntax 

Now , i added with yyyymmddHHMMSSZ format 

dn: cn=testsudo,ou=SUDOers,cn=aixdata,ou=testaixsystems,dc=tapue,dc=com
changetype: modify
replace: sudoNotBefore
sudoNotBefore: 20110525163200Z

It changed successfully

prlldps01:root:/home/root # ldapmodify ${ADMINDN} -f /tmp/ldif
Operation 0 modifying entry cn=testsudo,ou=SUDOers,cn=aixdata,ou=testaixsystems,dc=tapue,dc=com

prlldps01:root:/home/root # echo $?
0

You should probably file a bug with IBM about that as the RFC clearly states that the seconds (and also the minutes) are optional.

I'll modify the ldap filter code to include the seconds and update the manual to also mention the seconds in the description.

Hi Todd , 

IBM confirmed that RFC 4517 is not included in TDS V6.2

Sudo 1.8.2 uses the yyymmddHHMMZ timestamp format.