Hello list.
I have to handle account locking on our directory, so as to keep accounts from people not working here anymore. On Buchan's suggestion, I used ppolicy sofar, with pwdAccountLockedTime attribute set to 000001010000Z to lock unused account. This is really handy to handle unix account and web applications account at once. However, they are also some drawbacks:
- this is an operational account, thus a bit difficult to retrieve/edit (additional search options needed) - its locking value seems to be quite cryptic (but I maybe missed the semantic description somewhere) - it seems to be a binary field only (locked/unlocked), by opposition to shadowMax which allows to set an expiration date in advance. Even a purely cosmetic contract expiration date would be helpful here, but i didn't found anything similar in standard schemas - it doesn't handle easily use case where you just need to extract valid account list (such as scan-to-emails features from copiers), excepted by filtering on this attribute value, which isn't always possible (broken copiers firmware, for instance)
Last issue could be workarounded by filtering on ldap side using dynamic group I think.
So, does anyone have suggestion on how to handle this better ?