[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question about ppolicy usage

To: Mikael Bak <bak.mikael@oszk.hu>, openldap-technical@openldap.org
Subject: Re: Question about ppolicy usage
From: Michael Ströder <michael@stroeder.com>
Date: Tue, 2 Apr 2019 17:11:53 +0200
Autocrypt: addr=michael@stroeder.com; prefer-encrypt=mutual; keydata= mQENBFbdnRoBCADj0vYA4aRwKJ6AE4mf8oElLgMT/1eLNKpJ2FYBWcwj9d8dTk5/p9b8DRxy S/qQIUUZqt9xRFZwUCm0vFeQMRDeN9xzAKoRzrJifoDOacOjG1lhZTKYvVZGgUT89Ao3QeHh Q7gPzcAKNoueoR2y3FXStOYuRrbk5PlSjVAITjsotgc7PWE9mmVYpeu8a+byK/DBHKUyolOA 1UXYvDa7MbPhMtdNm8qnwtKs1Vsyk1VkErM+5cIe+zTT6WYQcmZMRjCtWGiFTzk9W6Mdlskk WRTKhKNgokTsgcy1ecaCBUZWxv/SyXgD81+rwRi9b8Px+1reg43ayxi8sV7jrI1feybbABEB AAG0J01pY2hhZWwgU3Ryw7ZkZXIgPG1pY2hhZWxAc3Ryb2VkZXIuY29tPokBNwQTAQgAIQUC Vt2dGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAH3HrjaovJOFpTCACjO773gcmJ KvzjiNpUFl/gANyaJgIq4VbMQ7VthRb1F9X6YbdJ6Z99ntyESjGFCpjofcSomr2vJDpv6ht+ lY33yo20YwsMpqe2OeId0jPybG+FtabKjgBNoAk7iqnBGUvE4t0dz0n1LQVCQR2jxyTKmcNq OYpsRZ3H+6kWwJMuVgsNZglINVZ8JgV5QuLYN5jhYz+pOuFnU11bV6nWREvzZXzebe7g7Zus 6AsWjtJ0lDvgBNzLlF3/eFrVch6Bejs0SvuFseIdZQk+4YU6Rb8xul/jDFXIfo7eTmijO3dV T5AmC1cUi8czncwpgAJnEH8vYv23RoN/aw2gSMCS2huIuQENBFbdnRoBCAC7L1cTVBVZZuM/ yxSUM5CsgGBlTD1Cr7C2ngZFsHSYXVLq6NUB8GZA2iLK96CrwnFw4/Jjz4llOjc50iVRMQKL RyFWOJAMrpPq2ew5T+Uoo524D//dwVbqkFVVuvM8NPiKIDyPGCjP+acM1D8hXwhOXgQ8Iz8Q 3/GRSYjitn9JrkF0ia2nhariznBKVu0LDffxF/hOCx45+QRR2/rYYlshfZMB7nEJX9P+hVfM CSzltz9Z8CldeUbiJvnyrISReR2XBw9oh8JkIUP0BtpIaify9A7EfzOk+W9BUnWe+YwdSUsB fJxOhSv+umyW5GMqZGFu+4oYnkzbe+1LUs1JarCtABEBAAGJAR8EGAEIAAkFAlbdnRoCGwwA CgkQB9x642qLyTjEUgf+JX6Atatl/QKe37yCj1OZYNPd3B0rPLJRF5mEmrADRXLZC9+uFeDS Wxxln040gnR6rjBHrRcvVmlTDiZY26iuL16+V+0/aZ9uyXNQSzk2cwDSiI/8gvr72Y+FN5fh cGXpeNHxHilYc9onzDhxyE76cwzqTKm4q2ULIH2u9IHQ5O86Fv6nHPYhe2fy1bhQapNwi/Xl 3G3i2WNH/w7m+1zWU1IddZOjmXzoxLT1BATwXGa0Tt5RjVb2mM1Wg3Zj6kqFkF2vvKcvrwj0 q0Ap5uyfN5m0uWzQMCMoaV9HQf7f5MkS1lnwBqDgnojjVAieX5uk7olUiRuPKHMfhvXulYP8 AA==
Content-language: en-US
In-reply-to: <2d78fbe3-d492-19e6-178f-8806204eda65@oszk.hu>
Openpgp: id=43C8730E84A20E560722806C07DC7AE36A8BC938
References: <c855af59-9cdf-32df-08b1-4ea902774ef4@oszk.hu> <89bdc155-a159-4d67-a668-f2b3e21d814f@stroeder.com> <2d78fbe3-d492-19e6-178f-8806204eda65@oszk.hu>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.0

On 4/2/19 8:31 AM, Mikael Bak wrote:
> On 2019. 04. 01. 18:07, Michael Ströder wrote:
>> I'd recommend to use another attribute and define a ACL on
>> attrs=userPassword for that.
> 
> Yes, I can do that, but I did not find any obvious choise of attribute
> for this in the included schemas. What attribute do you recommend for this?

One candidate is 'organizationalStatus':

https://tools.ietf.org/html/rfc4524#section-2.19

But you would need to define your own custom object class.

>> For Æ-DIR I defined custom meta attributes aeStatus, aeExpiryStatus,
>> aeNotAfter etc.
>>
>> https://www.ae-dir.com/docs.html#schema-at-aeStatus
> 
> Thanks for the info.
> How do handle the expiry in Æ-DIR? I have not found a way to construct
> an ACL that can have "today" or "now" as a search parameter.

Last time something like this was discussed here:
https://www.openldap.org/lists/openldap-technical/201402/msg00186.html

I'd love to see this implemented:
https://tools.ietf.org/html/draft-pluta-ldap-srv-side-current-time-match-01

Until then Æ-DIR uses a small CRON job for updating 'aeStatus' if
'aeNotAfter' is reached and 'aeExpiryStatus' is set.

Ciao, Michael.

References:
- Question about ppolicy usage
  - From: Mikael Bak <bak.mikael@oszk.hu>
- Re: Question about ppolicy usage
  - From: Michael Ströder <michael@stroeder.com>
- Re: Question about ppolicy usage
  - From: Mikael Bak <bak.mikael@oszk.hu>

Prev by Date: RE: mdb_equality_candidates: (entryUUID) not indexed, with olcDbIndex=entryUUID pres, eq
Next by Date: LMDB, doing the impossible
Index(es):
- Chronological
- Thread