Daniel Durgin a écrit :
Hello,
Does any one know how to force the expiration of an account within the
slapo-ppolicy overlay?
For instance, says that an employee's last day with the organization
ends at 5PM, is there a flag I can set to deactivate an account at
that time.
Everything depends what you define by 'deactivate' exactly.
You can use shadowAccount class shadowExpire attribute to a given date
to make pam reject logins attempts after this date. But that is only a
client-side effect for a specific application.
You can use ppolicy pwdAccountLockedTime attribute to 000001010000Z
value to make all bind operation fails, but using an external mean, such
as a cron task, as it is impossible to set a date in the future and hope
ppolicy will start honours it once this time is reached.
You could also use the smbkrb5 overlay, and rely on kerberos-specific
password expiration date to make autentication fails server-side, this
time after a given date.
In both case, the account will still exists in the directory, meaning
the user will still be part of mailing list whose membership is based on
ldap requests, for instance.
I'd like also to have a way to first lock password server-side, the same
way pwdAccountLockedTime does, but with a fixed date, AND have a boolean
flag valid/invalid for easy selection of valid account in queries.