[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Howto time expires an Openldap account ?

To: ando@sys-net.it
Subject: Re: Howto time expires an Openldap account ?
From: "LABICHE Alexandre" <alexandrelabiche@hotmail.com>
Date: Tue, 05 Sep 2006 20:09:03 +0000
Cc: openldap-software@OpenLDAP.org
In-reply-to: <44FDD29C.3000807@sys-net.it>

Hello Pierangelo,

Thanks for your quick reply and your perfect analyse.

To explain what I use in ppolicy is to lock an account at a specific time. Exactly the account is locked because user doesn't change his password after a graceful period. But if he changes his password before graceful period , his account is OK for a new period.

So if want to lock an account I must block the "change password" for users. That's what I think.

It's not really a expiredtime account and our internal policy wants users change their passwords.

From: Pierangelo Masarati <ando@sys-net.it>
To: LABICHE Alexandre <alexandrelabiche@hotmail.com>
CC: openldap-software@OpenLDAP.org
Subject: Re: Howto time expires an Openldap account ?
Date: Tue, 05 Sep 2006 21:40:12 +0200
LABICHE Alexandre wrote:
I would like to know if I can use somethiing like this in slapd.conf
After adding a "Generalized Time" attribut in schema (for example expiredtime)
access to attrs=userpassword  filter=(expiredtime<=NOW)
But how can I implement the function NOW because slapd must evaluate this value at each login.
You can't (as far as I know).
There are others heavy methods like ppolicy but User can't change his password (expiredtime eq pwdChangedPassword)
I can't understand the above sentence; please elaborate
Or create an expiredtime and with a external daliy process, flag account .
This would be the natural solution: an administrative, batch client could invalidate expired accounts; then the filter could look like access to attrs=userpassword filter="(expired=TRUE)" ...
Or create a back method with a lot of leak memory ...
You can implement some specific access rule by looking at the "dynacl" API (an example is ACIs, or module "contrib/slapd-modules/acl/posixgroup.c". Your module could implement exactly what you thought of, i.e. a rule that compares the value of an attribute in the database with the current time.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Follow-Ups:
- Re: Howto time expires an Openldap account ?
  - From: Howard Chu <hyc@symas.com>

References:
- Re: Howto time expires an Openldap account ?
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: Howto time expires an Openldap account ?
Next by Date: Re: Howto time expires an Openldap account ?
Index(es):
- Chronological
- Thread