On 4/2/19 8:31 AM, Mikael Bak wrote:
On 2019. 04. 01. 18:07, Michael Ströder wrote:
I'd recommend to use another attribute and define a ACL on attrs=userPassword for that.
Yes, I can do that, but I did not find any obvious choise of attribute for this in the included schemas. What attribute do you recommend for this?
One candidate is 'organizationalStatus':
https://tools.ietf.org/html/rfc4524#section-2.19
But you would need to define your own custom object class.
For Æ-DIR I defined custom meta attributes aeStatus, aeExpiryStatus, aeNotAfter etc.
Thanks for the info. How do handle the expiry in Æ-DIR? I have not found a way to construct an ACL that can have "today" or "now" as a search parameter.
Last time something like this was discussed here: https://www.openldap.org/lists/openldap-technical/201402/msg00186.html
I'd love to see this implemented: https://tools.ietf.org/html/draft-pluta-ldap-srv-side-current-time-match-01
Until then Æ-DIR uses a small CRON job for updating 'aeStatus' if 'aeNotAfter' is reached and 'aeExpiryStatus' is set.
Ciao, Michael.