disabling an acocunt after an expiry date

[Jeremy Lunn <jeremy@austux.net>]

I am considering using OpenLDAP for authentication at an ISP and I was
wondering if it's possible to do the following?

First of all I would like to be able to control what servers uses can
login to.  So on the mail server (postfix is the mta, but no imapd or
popd will be) I don't won't users to be able to authenticate or receive
mail if they don't have a certain flag set against their name.  Same
with the webserver (which will be apache, probably with proftpd) and
radius (cistron) for dialup.  I was taking a quick look ag what could be
done and I was wondering if the best way would be to use
'objectclass: mail' etc?

The other thing I was wondering, is it possible to set a date in a field
for when their account expires?  So if they don't renew their account
and it somehow slips by the bean counters, they won't be able to
authenticate?  Even better if their website doesn't work, but I am
guessing I'd have to generate config from scripts as a cron job to 
accomplish that.  But I'd probably have cron jobs to delete accounts if
they haven't been renewed for so many months, or at least draws it to
someones attention.

Also I am just wondering what naming convention is best for
authentication?  Just things like what to name attributes for usernames,
numeric uids, home directories etc.

Last of all, I am a little confused about password cryptography. At
http://www.openldap.org/faq/data/cache/347.html
Is SSHA the same thing as SHA but with a seed?  Should SSHA passwords
have {SSHA} before them or {SHA} (the script at that URL seems to just
put the later).   And what does the seed do anyway?

Thanks,

-- 
Jeremy Lunn
Melbourne, Australia