From: Hallvard B Furuseth <[EMAIL PROTECTED]>
Date: Mon, 8 Jan 2007 16:49:36 +0100
- If your DB is small enough (since you can't index for ORDERING), run a
cron job every day which searches for "(expiryattribute<=now)"
and deletes userPassword and the expiry attr from the found those
entries.
ORDERING indexing on GeneralizedTime has been supported since OpenLDAP 2.3.1.
- Or you could write a new overlay which rejects Bind if the expiry time
is in the past.
This would probably be easiest.
- Or you can have an access statement
access to attrs=userPassword filter=(expiryattribute<=now)
by * none
before other access statements controlling userPassword, which a cron
job updates each day. Can be done over the protocol if you use the
config backend, otherwise it has to update slapd.conf and restart
slapd so it'll re-read slapd.conf.
Something like this, unless someone knows an existing schema you can
use:
attributeType ( <your organization's OID>.1.1.1
NAME '<yourOrganization>expiryTime'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
objectClass ( <your organization's OID>.1.2.1
NAME '<yourOrganization>expiryObject'
AUXILIARY
MAY ( <yourOrganization>expiryTime ) )
See Generalized Time in RFC 4517 for a description of the Generalized
Time syntax. See <http://www.openldap.org/faq/data/cache/391.html>
about getting an OID.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
---
You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
