Hi Emmanuel, Thanks for the response this helps a lot! This is almost what I need, but not quite all of it.
I have a custom attribute called 'status' on my custom user object. This 'status' attribute can be either 'ACTIVE' or 'INACTIVE'. Is there a way that I can create some sort of interceptor that will trigger when the account is locked due to inactivity from pwdMaxIdle? I want this interceptor to trigger and set the 'status' attribute to 'INACTIVE'. Also, once an account is locked, how do I unlock it? Do I simply remove the pwdLastSuccessTime attribute? Or just have an admin user change the password? Thanks, >Le 07/03/2017 à 21:29, Pittman, Michael a écrit : >> Hi, >> >> I'm looking for a way to disable a user account if the user has not logged >> in for a configurable >amount of days. Does ApacheDS currently support this?>>> > >You would like to set a default passwordPolcy, and set the >ads-pwdMaxIdle attribute. From >https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#page-27 : > >5.2.20. pwdMaxIdle > > This attribute specifies the number of seconds an account may remain > unused before it becomes locked. If this attribute is not set or is > 0, no check is performed. > > ( 1.3.6.1.4.1.42.2.27.8.1.26 > NAME 'pwdMaxIdle' > EQUALITY integerMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 > SINGLE-VALUE ) > >Have a look at >http://directory.apache.org/apacheds/advanced-ug/4.3-password-policy.html > >-- >Emmanuel Lecharny > >Symas.com >directory.apache.org Michael Pittman Software Engineer CRITICAL NETWORKS / HARRIS CORPORATION Mobile: (863) 517-1910
