On 30 Nov 2011, at 22:21, Nick Urbanik wrote: > Dear Folks, > > I am writing Perl software to manage our OpenLDAP cluster using the > slapo.ppolicy overlay to manage password policy. I'm hoping to get > this into production very soon. > > My problem: how to efficiently search for users who have expired? > > I have seen the code written by Buchan Milne at > http://staff.telkomsa.net/~bgmilne/ldap/, but he is munging with the > operational attributes directly. The code I've written so far has > mostly avoided working with these directly; I've been using > Net::LDAP::Control::PasswordPolicy so far, and am trying to understand > how to construct a suitable filter using this control. > > Can anyone point me in the right direction?
The PP control is very much meant for telling a user about *his* password status. If you combined it with proxy auth, you could imagine writing something that iterated through every user, and did some kind of operation (something simple like whoami perhaps) proxying as that user and requesting PP status back. That may give you what you want. It may even work! :-) I suspect Buchan's approach is better as it doesn't involve iterating through each user and the attributes it is using are defined in the same draft as the PP control, i.e. reasonably standardised. Chris
