Re: Question about ppolicy usage
On 4/1/19 5:32 PM, Mikael Bak wrote:
1) I want to be able to disable users. I can do this by setting:
pwdAccountLockedTime: 000001010000Z
I'd recommend to use another attribute and define a ACL on
attrs=userPassword for that.
2) I want to be able to set a date in the future when a user account
will expire / deactivate.
I was hoping to be able to set "pwdAccountLockedTime" to a date in the
future and after that date the user account would be locked.
Reading the source code for ppolicy I find an interesting block in the
function "account_locked()" at line 356:
/* Still in the future? not yet in effect */
if (now < then)
return 0;
This leads me to believe that the author's intension may have been to
allow what I want to do.
Note that semantics for 'pwdAccountLockedTime' are defined herein:
https://tools.ietf.org/html/draft-behera-ldap-password-policy
It does not mean what you want to achieve.
For Æ-DIR I defined custom meta attributes aeStatus, aeExpiryStatus,
aeNotAfter etc.
https://www.ae-dir.com/docs.html#schema-at-aeStatus
Ciao, Michael.