[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Howto time expires an Openldap account ?
LABICHE Alexandre wrote:
I would like to know if I can use somethiing like this in slapd.conf
After adding a "Generalized Time" attribut in schema (for example
expiredtime)
access to attrs=userpassword filter=(expiredtime<=NOW)
But how can I implement the function NOW because slapd must evaluate
this value at each login.
You can't (as far as I know).
There are others heavy methods like ppolicy but User can't change his
password (expiredtime eq pwdChangedPassword)
I can't understand the above sentence; please elaborate
Or create an expiredtime and with a external daliy process, flag
account .
This would be the natural solution: an administrative, batch client
could invalidate expired accounts; then the filter could look like
access to attrs=userpassword filter="(expired=TRUE)"
...
Or create a back method with a lot of leak memory ...
You can implement some specific access rule by looking at the "dynacl"
API (an example is ACIs, or module
"contrib/slapd-modules/acl/posixgroup.c". Your module could implement
exactly what you thought of, i.e. a rule that compares the value of an
attribute in the database with the current time.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------