Rob Shepherd writes:
Is it possible to make queries to internal data, as well as directory entry attributes?
Yes.
If you want a search to return internal data for an entry, aka operational attributes, you must explicitly ask for them.
As an OpenLDAP extension, asking for "+" requests all operational attributes. And remember that asking for any attribute cancels the default "*", so if you want both all operational and user attributes, ask for both "*" and "+".
I want to query when an attribute was added to the directory, without having to make an external repository for this info, in another database or file, or supplementary descriptive
$ ldapsearch -xLLLh ldap.uio.no -b dc=uio,dc=no "(uid=hbf)" modifyTimestamp dn: uid=hbf,cn=people,dc=uio,dc=no modifyTimestamp: 20070329084312Z
Is there a backend way to make attributes expire?
man slapo-dds and (for passwords) slapo-ppolicy.