Hello,
I am trying to disable user logins for expired trial users.
After searching online, finally found a useful thread from this very
list archived
http://www.openldap.org/lists/openldap-technical/201111/msg00165.html
I accidentally tried to mess with userPassword hash, but it did not work me.
Since in that thread Michael showed/shared a better way to achieve the
same goal of disabling users with ACLs, I am trying to copy his
method.
I attempted to follow Michael's example. It has not worked yet. Below
is my script:
dn: olcDatabase={3}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
filter=(&(objectClass=inetOrgPerson)(serviceLevel=suspended))
by dn="cn=config" write by * none
olcAccess: {1}to attrs=userPassword,shadowLastChange
filter=(&(objectClass=inetOrgPerson)(!(serviceLevel=suspended)))
by self write by anonymous auth
by dn="cn=admin,dc=directory,dc=apple,dc=com" write
by dn="cn=config" write by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to *
filter=(&(objectClass=inetOrgPerson)(serviceLevel=suspended))
by dn="cn=config" write
by * none
olcAccess: {4}to *
filter=(&(objectClass=inetOrgPerson)(!(serviceLevel=suspended)))
by self write
by dn="cn=admin,dc=directory,dc=apple,dc=com" write
by dn="cn=config" write
by * read
Currently, ldapmodify(1) is failing with an implementation specific
error, likely due to messed-up syntax or something. The additional
info: <olcAccess> handler exited with 1
Michael's example is not written for OLC, so I managed to do something
wrong. Any ideas?
Thank you,
Igor Shmukler
