[ldap] Re: User account lifetime implementation in OpenLDAP

Mon, 08 Jan 2007 07:49:42 -0800 

Alina Dubrovska writes:
 need to implement user account lifetime functionality on my OpenLDAP
> server (2.3.27).  For each user account lifetime can be set as
> "forever" or "number of days between 1 and 365".  After lifetime
> expires user must be terminated (still present in LDAP, but not able
> to login).
>
> Could you please suggest some convenient way to implement such
> requirement?

I can't think of a directly supported way.  So unless I'm missing
something, the simplest will be to create a attribute with the expiry
(is that correctly spelled?) time which includes an ORDERING rule, and
an object class which allows that attribute.

Do not set the attr for "forever"-entries, or use e.g. year 9000 as
"forever".  Then...

- If your DB is small enough (since you can't index for ORDERING), run a
  cron job every day which searches for "(expiryattribute<=now)"
  and deletes userPassword and the expiry attr from the found those
  entries.

- Or you could write a new overlay which rejects Bind if the expiry time
  is in the past.

- Or you can have an access statement
    access to attrs=userPassword filter=(expiryattribute<=now)
           by * none
  before other access statements controlling userPassword, which a cron
  job updates each day.  Can be done over the protocol if you use the
  config backend, otherwise it has to update slapd.conf and restart
  slapd so it'll re-read slapd.conf.

Something like this, unless someone knows an existing schema you can
use:

    attributeType ( <your organization's OID>.1.1.1
        NAME '<yourOrganization>expiryTime'
        EQUALITY generalizedTimeMatch
        ORDERING generalizedTimeOrderingMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )

    objectClass ( <your organization's OID>.1.2.1
        NAME '<yourOrganization>expiryObject'
        AUXILIARY
        MAY ( <yourOrganization>expiryTime ) )

See Generalized Time in RFC 4517 for a description of the Generalized
Time syntax.  See <http://www.openldap.org/faq/data/cache/391.html>
about getting an OID.

-- 
Regards,
Hallvard

---
You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.

Reply via email to