Re: ppolicy force account expiration

[Guillaume Rousse <Guillaume.Rousse@inria.fr>]

Daniel Durgin a écrit :
> Hello,
>
> Does any one know how to force the expiration of an account within the 
> slapo-ppolicy overlay?
>
> For instance, says that an employee's last day with the organization 
> ends at 5PM, is there a flag I can set to deactivate an account at that 
> time.
Everything depends what you define by 'deactivate' exactly.

You can use shadowAccount class shadowExpire attribute to a given date 
to make pam reject logins attempts after this date. But that is only a 
client-side effect for a specific application.

You can use ppolicy pwdAccountLockedTime attribute to 000001010000Z 
value to make all bind operation fails, but using an external mean, such 
as a cron task, as it is impossible to set a date in the future and hope 
ppolicy will start honours it once this time is reached.

You could also use the smbkrb5 overlay, and rely on kerberos-specific 
password expiration date to make autentication fails server-side, this 
time after a given date.

In both case, the account will still exists in the directory, meaning 
the user will still be part of mailing list whose membership is based on 
ldap requests, for instance.

I'd like also to have a way to first lock password server-side, the same 
way pwdAccountLockedTime does, but with a fixed date, AND have a boolean 
flag valid/invalid for easy selection of valid account in queries.
--
Guillaume Rousse
Service des Moyens Informatiques
INRIA Saclay - Île-de-France
Parc Orsay Université, 4 rue J. Monod
91893 Orsay Cedex France
Tel: 01 69 35 69 62