On 4/2/19 8:31 AM, Mikael Bak wrote: > On 2019. 04. 01. 18:07, Michael Ströder wrote: >> I'd recommend to use another attribute and define a ACL on >> attrs=userPassword for that. > > Yes, I can do that, but I did not find any obvious choise of attribute > for this in the included schemas. What attribute do you recommend for this?
One candidate is 'organizationalStatus': https://tools.ietf.org/html/rfc4524#section-2.19 But you would need to define your own custom object class. >> For Æ-DIR I defined custom meta attributes aeStatus, aeExpiryStatus, >> aeNotAfter etc. >> >> https://www.ae-dir.com/docs.html#schema-at-aeStatus > > Thanks for the info. > How do handle the expiry in Æ-DIR? I have not found a way to construct > an ACL that can have "today" or "now" as a search parameter. Last time something like this was discussed here: https://www.openldap.org/lists/openldap-technical/201402/msg00186.html I'd love to see this implemented: https://tools.ietf.org/html/draft-pluta-ldap-srv-side-current-time-match-01 Until then Æ-DIR uses a small CRON job for updating 'aeStatus' if 'aeNotAfter' is reached and 'aeExpiryStatus' is set. Ciao, Michael.
