Hello,
I am trying to disable user logins for expired trial users. After searching online, finally found a useful thread from this very list archived http://www.openldap.org/lists/openldap-technical/201111/msg00165.html
I accidentally tried to mess with userPassword hash, but it did not work me.
Since in that thread Michael showed/shared a better way to achieve the same goal of disabling users with ACLs, I am trying to copy his method.
I attempted to follow Michael's example. It has not worked yet. Below is my script: dn: olcDatabase={3}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange filter=(&(objectClass=inetOrgPerson)(serviceLevel=suspended)) by dn="cn=config" write by * none olcAccess: {1}to attrs=userPassword,shadowLastChange filter=(&(objectClass=inetOrgPerson)(!(serviceLevel=suspended))) by self write by anonymous auth by dn="cn=admin,dc=directory,dc=apple,dc=com" write by dn="cn=config" write by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * filter=(&(objectClass=inetOrgPerson)(serviceLevel=suspended)) by dn="cn=config" write by * none olcAccess: {4}to * filter=(&(objectClass=inetOrgPerson)(!(serviceLevel=suspended))) by self write by dn="cn=admin,dc=directory,dc=apple,dc=com" write by dn="cn=config" write by * read
Currently, ldapmodify(1) is failing with an implementation specific error, likely due to messed-up syntax or something. The additional info: <olcAccess> handler exited with 1
Michael's example is not written for OLC, so I managed to do something wrong. Any ideas?
Thank you,
Igor Shmukler
openldap-technical@openldap.org