On 4/1/19 5:32 PM, Mikael Bak wrote: > 1) I want to be able to disable users. I can do this by setting: > pwdAccountLockedTime: 000001010000Z
I'd recommend to use another attribute and define a ACL on attrs=userPassword for that. > 2) I want to be able to set a date in the future when a user account > will expire / deactivate. > > I was hoping to be able to set "pwdAccountLockedTime" to a date in the > future and after that date the user account would be locked. > > Reading the source code for ppolicy I find an interesting block in the > function "account_locked()" at line 356: > > /* Still in the future? not yet in effect */ > if (now < then) > return 0; > > This leads me to believe that the author's intension may have been to > allow what I want to do. Note that semantics for 'pwdAccountLockedTime' are defined herein: https://tools.ietf.org/html/draft-behera-ldap-password-policy It does not mean what you want to achieve. For Æ-DIR I defined custom meta attributes aeStatus, aeExpiryStatus, aeNotAfter etc. https://www.ae-dir.com/docs.html#schema-at-aeStatus Ciao, Michael.
