Hello,
Does any one know how to force the expiration of an account within the slapo-ppolicy overlay?
For instance, says that an employee's last day with the organization ends at 5PM, is there a flag I can set to deactivate an account at that time.
I know that I could write a cronjob that would do this.
Thanks, Dan
Daniel Durgin a écrit :
Hello,
Does any one know how to force the expiration of an account within the slapo-ppolicy overlay?
For instance, says that an employee's last day with the organization ends at 5PM, is there a flag I can set to deactivate an account at that time.
Everything depends what you define by 'deactivate' exactly.
You can use shadowAccount class shadowExpire attribute to a given date to make pam reject logins attempts after this date. But that is only a client-side effect for a specific application.
You can use ppolicy pwdAccountLockedTime attribute to 000001010000Z value to make all bind operation fails, but using an external mean, such as a cron task, as it is impossible to set a date in the future and hope ppolicy will start honours it once this time is reached.
You could also use the smbkrb5 overlay, and rely on kerberos-specific password expiration date to make autentication fails server-side, this time after a given date.
In both case, the account will still exists in the directory, meaning the user will still be part of mailing list whose membership is based on ldap requests, for instance.
I'd like also to have a way to first lock password server-side, the same way pwdAccountLockedTime does, but with a fixed date, AND have a boolean flag valid/invalid for easy selection of valid account in queries.
Thank you for the input.
-dan
Guillaume Rousse wrote:
Daniel Durgin a écrit :
Hello,
Does any one know how to force the expiration of an account within the slapo-ppolicy overlay?
For instance, says that an employee's last day with the organization ends at 5PM, is there a flag I can set to deactivate an account at that time.
Everything depends what you define by 'deactivate' exactly.
You can use shadowAccount class shadowExpire attribute to a given date to make pam reject logins attempts after this date. But that is only a client-side effect for a specific application.
You can use ppolicy pwdAccountLockedTime attribute to 000001010000Z value to make all bind operation fails, but using an external mean, such as a cron task, as it is impossible to set a date in the future and hope ppolicy will start honours it once this time is reached.
You could also use the smbkrb5 overlay, and rely on kerberos-specific password expiration date to make autentication fails server-side, this time after a given date.
In both case, the account will still exists in the directory, meaning the user will still be part of mailing list whose membership is based on ldap requests, for instance.
I'd like also to have a way to first lock password server-side, the same way pwdAccountLockedTime does, but with a fixed date, AND have a boolean flag valid/invalid for easy selection of valid account in queries.
Set the pwdAccountLockedTime attribute to 000001010000Z.
Craig
On Wed, 2009-04-15 at 22:04 -0400, Daniel Durgin wrote:
Hello,
Does any one know how to force the expiration of an account within the slapo-ppolicy overlay?
For instance, says that an employee's last day with the organization ends at 5PM, is there a flag I can set to deactivate an account at that time.
I know that I could write a cronjob that would do this.
Thanks, Dan
openldap-software@openldap.org
-
Craig Squires -
Daniel Durgin -
Guillaume Rousse