Tim Watts wrote: > "Delete" - they vanish from libnss and other places, but we still hold their > LDAP record for easy resurrection (this happens a lot - we have a class of > nomadic users - they work on a project, go away, then come back on another > project 2 years later). That state I'd call "inactive" or similar. But that's cosmetic. In my systems there's always exactly one status "active" for which I allow "auth" on "userPassword". E.g. in Æ-DIR the attribute 'aeStatus' can have this Integer values: -1: requested 0: active 1: deactivated 2: archived I suspect you're overloading the semantics of 'employeeType' by putting two meaning into one attribute. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature