Re: Howto time expires an Openldap account ?

[Pierangelo Masarati <ando@sys-net.it>]

LABICHE Alexandre wrote:
> I would like to know if I can use somethiing like this in slapd.conf
>
> After adding  a "Generalized Time" attribut in schema  (for example 
> expiredtime)
>
> access to attrs=userpassword  filter=(expiredtime<=NOW)
>
> But how can I implement the function NOW because slapd  must evaluate 
> this value at each login.
You can't (as far as I know).
> There are others heavy methods like ppolicy  but User can't change his 
> password (expiredtime eq pwdChangedPassword)
I can't understand the above sentence; please elaborate
> Or create an expiredtime and with a external daliy process,  flag 
> account .
This would be the natural solution: an administrative, batch client 
could invalidate expired accounts; then the filter could look like
access to attrs=userpassword  filter="(expired=TRUE)"
   ...
> Or create a back method with a lot of leak memory ...
You can implement some specific access rule by looking at the "dynacl" 
API (an example is ACIs, or module 
"contrib/slapd-modules/acl/posixgroup.c".  Your module could implement 
exactly what you thought of, i.e. a rule that compares the value of an 
attribute in the database with the current time.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------