[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question about ppolicy usage

To: openldap-technical@openldap.org
Subject: Re: Question about ppolicy usage
From: Mikael Bak <bak.mikael@oszk.hu>
Date: Tue, 2 Apr 2019 08:31:49 +0200
Autocrypt: addr=bak.mikael@oszk.hu; keydata= xsFNBFvIL5IBEADlPKBdbUGxkS6CA5FQTlNn3Q1ApjMItWOW/gTwEurqRuEAAm4KlJDNwf4i uvrmXud4caPkSswnRwDfhXBxic+2xUjX3muELC2h/ljDkAIFpGT+xK3vCFGkXt7x8f5/SBHh MyB/gKlMeDFyNiLauRVWOspZqNMuZgCZly+SxfH8TlwQ1ScaVkLjvU9aEvgCcdXUUo1nPiIc aP4/OcrMgOudiQP4eAbZ+SuoSEXVwloip9A7HnfrjBvxrWuTeVVuWNorUw3Psdj+yys+cok/ neluqZBVg6P2OWNd703CrMy9hj3s7peAA0Mhfa8TR+GxL50zy3EGu6iF2WZpuanDUDku4Pbd vXMRafPkpADBo8T3bwEAV03gGGSwSw5RWDb+zMApdJ8rmw/RQE2VBrJzhzyhMizVswsunWhP GiexlQPV/Pt4PgyUn76F7jAOUZy7XgVvXyd/Mb5s+ZLX5jCpBtK4bPtOiZTfHVnKh6BFaZJX mW9BYn4R48BCy7GfAErsZjudady98GiRdqAz32/i08Z8otxjyGbyJ+dsvVdeojVH5Z6/OeLX bZsS7PfNsmFEGYYmEaG74IV1ZgXiyLEqNcgp4KX8hMnA/NMSm4pSlUtig86SI/r1hns5I3Tl 1TcMtIVCnhBoty607xBq2PC8E+z9H73H9ywU0EWW6FnSNxZSSwARAQABzR9NaWthZWwgQmFr IDxiYWsubWlrYWVsQG9zemsuaHU+wsGUBBMBCgA+FiEECB5yN1JehrCpky5E4vRHTsaBWbMF AlvIL5ICGyMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ4vRHTsaBWbOxdg/5 ASzHMclL6iinYrlwvAznw92oAru51Z/cbjg/Bj05VjRWKIvfpwJp4BO5a5O3c0K5K3oXqYkJ OnI9Y/GWgTLj+VvWA+eBQS030TB0PD0oJimU3vSZpJvI3EmGXlVfE0fsxIGvDboZYF0GTLAI r91hLPfK+aeh1u2fRHPYlOZrBZ9lxbIv17s1PB3uZcgg2hWuRvRR+++E2i18nnSW6CU6MvQq V37aY1pLNOlkxnPdJUdHEzW1HH60s2lCjWjpfICZq5JHHauFqAX3lEz3ODU6IMuRdbBg/svY qGguIc1juoeBL4ssnjc+XP9gXGbMFP9nlBZb3l0HsifCaPetZTOPCLtQb5f2271S53HkyfcQ kWMHzKQ+UgP5gE5zRVGjesbJ5lg/QElzgsKjUov7Ld8ZeEdqFK1dAzbgp9xIsY5rZPO4fHRc M6f7sqOq8fhpwKLFlKrV/o5weIVYF01xymkJIKGsiuG7a3VazID4zkPwsyk64xDkObdEIzKD BoeuUjnA9iLmNrJLeLCBRq/EQU9lxE0ljpRMUM6KZ6BFP+ET9ZIijwbOEqXTPZICod5nR8y/ tleyUB6PvOMAfiDEakRTMeWuAhv8cR+QFRObV1W8YxNWMbps0ibPeGrBdPH+ScV0mHZlFQRx 0uvxlxdFZNbDfn7YJ0T2vMh2dc0u+l9eJuzOwU0EW8gvkgEQAN4DABB6aFtYBseIpjEkRCuW Xz7fJpUuVzES4e7+KkX5b9wlXqqM1JugN8ZgcTU4pfiycIAkMPfLIByqhSsSRY3hPbjMJfsX 04MAUuSzFQQLQQQCqjw5m7a4ZssvzYIVRsWY/BY9Q3wk9KQJMc+g3iO6AJyBgmP2DQFXH8zc bTo8KlCHUrlYxmQNHnDRDvaBGRNklrdchTgcyKM+dFycy6BkdSJqRK52yhMs3He6IFOPaVFu +u/h4ZPrXYhBI3gYIph474UNidgqt+4KnPh3EZ8u+D6Ul0DZkexx3/eDc1UTJbrQ023iGkUG Dc8bb8fwKflHimNaaxBw1muM7Z5ZEQF9L4qgoyTQwgTmaKlcjXr6pZBkxosKjrwqbOjhJB+6 vr4SQA5fn4IIlwjGEzJ8Kixpq0n0Mo9zILIbO9EVEe4wx/hU/bIqlGvKpDF8rs9o3u61a2qH TW3lGb94zXwhck+aiTEjz7GaMHO7TEYSi9dK8h3GWXRw4x1/lIyXlYw66fOGTUVxsEU5HAko cVG5vRDRDhBNRYBPzSOGC/rzVXUo160l2AIlLW+1T3mPMVR3P7ztEN7llJVoP/87OlXJG6Xt 1vs4+YmA5L84XKL6sQ4Yiy/s5cP33E0iGc+YfXYpysNyT9QVHSVS/HRLX5T683oPnyWJ/fWH PiF/8TnzxvcrABEBAAHCwXwEGAEKACYWIQQIHnI3Ul6GsKmTLkTi9EdOxoFZswUCW8gvkgIb DAUJCWYBgAAKCRDi9EdOxoFZsyVTEADZrQ3RMB1G//fxrWq1wFc7zag1vsEujSDG3Xy5pcUX SUqZzqRhcXi48SZo13fzoP2hiUaMhbwwlNcjL6C6OJ8GQsw9PvfowAu6E0sZo270buhRJsi5 O077HCPcilieA/+c1Fg8kvBkjt16957HjSn+TcPNMeN7ZygZ9kqybwm/pycyDIKknuJ1jlGq UCwzoKSYxdkHOHSW8q3ugzRe3XyzoQWhLkbIPgB35X7hMXXdX/3kPWvaW5EHQBbsKfjELJat NZwspbRNwx/wdLi6GwTCopZC4Q0qq5/K/IhImgUxPi0GmPtIRJ4yGbQImNMBToFMKrZ/mXMZ Z4ID+fXfamQ2dd5xEdwDZO7SxSB07jsy4KVnUFjDUf8mN820/d7SqcibIMZudZ5EBH4rjo4b zFwobtAuLjjget6xVC20I0DIo9KPLL8XzKpy3cOAExSOHSV3oAWYNDYgIHLAIIQxlWnbx+mU 5OOCNsmvsXVcAvbMwqc4fgtqqG1bbYCQg4hYcO3J2Km9OUoZnHOiphfcSOBoRMjrmbeNKbRv QphsW77a1/MeVAS71O0hba7rofnDu+kbrXAE2IjIdlFBQGcU2uFI89hdMmfGHWjoTFlgcsdz aBGbMxsJy2CVtuubtB9HuILQ32inGH4J58UiADUMiHN6leqNRFO1gAwdJytqSDJUJA==
Content-language: en-US
In-reply-to: <89bdc155-a159-4d67-a668-f2b3e21d814f@stroeder.com>
Openpgp: preference=signencrypt
References: <c855af59-9cdf-32df-08b1-4ea902774ef4@oszk.hu> <89bdc155-a159-4d67-a668-f2b3e21d814f@stroeder.com>

Hi Michael,

On 2019. 04. 01. 18:07, Michael Ströder wrote:
> On 4/1/19 5:32 PM, Mikael Bak wrote:
>> 1) I want to be able to disable users. I can do this by setting:
>> pwdAccountLockedTime: 000001010000Z
> 
> I'd recommend to use another attribute and define a ACL on
> attrs=userPassword for that.
> 

Yes, I can do that, but I did not find any obvious choise of attribute
for this in the included schemas. What attribute do you recommend for this?

>> 2) I want to be able to set a date in the future when a user account
>> will expire / deactivate.
>>
>> I was hoping to be able to set "pwdAccountLockedTime" to a date in the
>> future and after that date the user account would be locked.
>>
>> Reading the source code for ppolicy I find an interesting block in the
>> function "account_locked()" at line 356:
>>
>> /* Still in the future? not yet in effect */
>> if (now < then)
>>  return 0;
>>
>> This leads me to believe that the author's intension may have been to
>> allow what I want to do.
> 
> Note that semantics for 'pwdAccountLockedTime' are defined herein:
> 
> https://tools.ietf.org/html/draft-behera-ldap-password-policy
> 
> It does not mean what you want to achieve.
> 

Thanks for the link to the ppolicy draft.

As I said, I realize ppolicy is probably not the best choise for what I
want to do. Unfortunately I did not find any other overlay module that
does what I would like to do. Are there any?

I'm very curious to know what others do in this situation.

> For Æ-DIR I defined custom meta attributes aeStatus, aeExpiryStatus,
> aeNotAfter etc.
> 
> https://www.ae-dir.com/docs.html#schema-at-aeStatus
> 

Thanks for the info.
How do handle the expiry in Æ-DIR? I have not found a way to construct
an ACL that can have "today" or "now" as a search parameter.

I'm quite new to LDAP, so a little help is greatly appreciated.
Thanks,
Mikael

Follow-Ups:
- Re: Question about ppolicy usage
  - From: Michael Ströder <michael@stroeder.com>

References:
- Question about ppolicy usage
  - From: Mikael Bak <bak.mikael@oszk.hu>
- Re: Question about ppolicy usage
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: idassert-authzFrom: Proper way to include only non-anonymous binds
Next by Date: Re: Question about ppolicy usage
Index(es):
- Chronological
- Thread