Hi Michael, On 2019. 04. 01. 18:07, Michael Ströder wrote: > On 4/1/19 5:32 PM, Mikael Bak wrote: >> 1) I want to be able to disable users. I can do this by setting: >> pwdAccountLockedTime: 000001010000Z > > I'd recommend to use another attribute and define a ACL on > attrs=userPassword for that. >
Yes, I can do that, but I did not find any obvious choise of attribute for this in the included schemas. What attribute do you recommend for this? >> 2) I want to be able to set a date in the future when a user account >> will expire / deactivate. >> >> I was hoping to be able to set "pwdAccountLockedTime" to a date in the >> future and after that date the user account would be locked. >> >> Reading the source code for ppolicy I find an interesting block in the >> function "account_locked()" at line 356: >> >> /* Still in the future? not yet in effect */ >> if (now < then) >> return 0; >> >> This leads me to believe that the author's intension may have been to >> allow what I want to do. > > Note that semantics for 'pwdAccountLockedTime' are defined herein: > > https://tools.ietf.org/html/draft-behera-ldap-password-policy > > It does not mean what you want to achieve. > Thanks for the link to the ppolicy draft. As I said, I realize ppolicy is probably not the best choise for what I want to do. Unfortunately I did not find any other overlay module that does what I would like to do. Are there any? I'm very curious to know what others do in this situation. > For Æ-DIR I defined custom meta attributes aeStatus, aeExpiryStatus, > aeNotAfter etc. > > https://www.ae-dir.com/docs.html#schema-at-aeStatus > Thanks for the info. How do handle the expiry in Æ-DIR? I have not found a way to construct an ACL that can have "today" or "now" as a search parameter. I'm quite new to LDAP, so a little help is greatly appreciated. Thanks, Mikael
