Hi list, I need to implement user account lifetime functionality on my OpenLDAP server (2.3.27). For each user account lifetime can be set as "forever" or "number of days between 1 and 365". After lifetime expires user must be terminated (still present in LDAP, but not able to login). Could you please suggest some convenient way to implement such requirement?
I have inspected slapo-ppolicy(5) overlay functionality, seems that: "pwdMaxAge=<lifetime>" + "pwdGraceAuthnLimit=0" would help, but then I need to setup separate policy for each account with different lifetime. And also this approach will fail if user decides to change password - then lifetime will be extended, but in my case lifetime must be not changeable. I have read also about "shadowAccount", maybe that could be useful? Important note is that we are using OpenLDAP as users storage for our Java application. To manipulate OpenLDAP from Java "Netscape Directory SDK 4.1 for Java API" is used. Would be great to have described "account termination after lifetime expiration" supported on both LDAP and application level (that is user must not be able to connect to LDAP and it should be possible to check it from my code). Any suggestions are very appreciated. Thanks in advance, Alina. --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
