[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Extensible filters and ordering searches: filtering shadowExpire by range?
- To: Côme Chilliet <come@opensides.be>, openldap-technical@openldap.org
- Subject: Re: Extensible filters and ordering searches: filtering shadowExpire by range?
- From: Michael Ströder <michael@stroeder.com>
- Date: Wed, 19 Jun 2019 11:44:59 +0200
- Autocrypt: addr=michael@stroeder.com; prefer-encrypt=mutual; keydata= mQENBFbdnRoBCADj0vYA4aRwKJ6AE4mf8oElLgMT/1eLNKpJ2FYBWcwj9d8dTk5/p9b8DRxy S/qQIUUZqt9xRFZwUCm0vFeQMRDeN9xzAKoRzrJifoDOacOjG1lhZTKYvVZGgUT89Ao3QeHh Q7gPzcAKNoueoR2y3FXStOYuRrbk5PlSjVAITjsotgc7PWE9mmVYpeu8a+byK/DBHKUyolOA 1UXYvDa7MbPhMtdNm8qnwtKs1Vsyk1VkErM+5cIe+zTT6WYQcmZMRjCtWGiFTzk9W6Mdlskk WRTKhKNgokTsgcy1ecaCBUZWxv/SyXgD81+rwRi9b8Px+1reg43ayxi8sV7jrI1feybbABEB AAG0J01pY2hhZWwgU3Ryw7ZkZXIgPG1pY2hhZWxAc3Ryb2VkZXIuY29tPokBNwQTAQgAIQUC Vt2dGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAH3HrjaovJOFpTCACjO773gcmJ KvzjiNpUFl/gANyaJgIq4VbMQ7VthRb1F9X6YbdJ6Z99ntyESjGFCpjofcSomr2vJDpv6ht+ lY33yo20YwsMpqe2OeId0jPybG+FtabKjgBNoAk7iqnBGUvE4t0dz0n1LQVCQR2jxyTKmcNq OYpsRZ3H+6kWwJMuVgsNZglINVZ8JgV5QuLYN5jhYz+pOuFnU11bV6nWREvzZXzebe7g7Zus 6AsWjtJ0lDvgBNzLlF3/eFrVch6Bejs0SvuFseIdZQk+4YU6Rb8xul/jDFXIfo7eTmijO3dV T5AmC1cUi8czncwpgAJnEH8vYv23RoN/aw2gSMCS2huIuQENBFbdnRoBCAC7L1cTVBVZZuM/ yxSUM5CsgGBlTD1Cr7C2ngZFsHSYXVLq6NUB8GZA2iLK96CrwnFw4/Jjz4llOjc50iVRMQKL RyFWOJAMrpPq2ew5T+Uoo524D//dwVbqkFVVuvM8NPiKIDyPGCjP+acM1D8hXwhOXgQ8Iz8Q 3/GRSYjitn9JrkF0ia2nhariznBKVu0LDffxF/hOCx45+QRR2/rYYlshfZMB7nEJX9P+hVfM CSzltz9Z8CldeUbiJvnyrISReR2XBw9oh8JkIUP0BtpIaify9A7EfzOk+W9BUnWe+YwdSUsB fJxOhSv+umyW5GMqZGFu+4oYnkzbe+1LUs1JarCtABEBAAGJAR8EGAEIAAkFAlbdnRoCGwwA CgkQB9x642qLyTjEUgf+JX6Atatl/QKe37yCj1OZYNPd3B0rPLJRF5mEmrADRXLZC9+uFeDS Wxxln040gnR6rjBHrRcvVmlTDiZY26iuL16+V+0/aZ9uyXNQSzk2cwDSiI/8gvr72Y+FN5fh cGXpeNHxHilYc9onzDhxyE76cwzqTKm4q2ULIH2u9IHQ5O86Fv6nHPYhe2fy1bhQapNwi/Xl 3G3i2WNH/w7m+1zWU1IddZOjmXzoxLT1BATwXGa0Tt5RjVb2mM1Wg3Zj6kqFkF2vvKcvrwj0 q0Ap5uyfN5m0uWzQMCMoaV9HQf7f5MkS1lnwBqDgnojjVAieX5uk7olUiRuPKHMfhvXulYP8 AA==
- In-reply-to: <2172916.04gkuUd6Ye@mcmic-probook>
- Openpgp: id=43C8730E84A20E560722806C07DC7AE36A8BC938
- References: <2667391.fHl9Fc5JOF@mcmic-probook> <2499576.beduc5CjLZ@mcmic-probook> <9C88777380B6659D0BE2EE70@192.168.1.39> <2172916.04gkuUd6Ye@mcmic-probook>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.1
On 6/19/19 8:56 AM, Côme Chilliet wrote:
> Yeah this is what I was calling timestamp sorry, getting the integer
> for today is easy, but it seems there is no way for writing a search
> filter with greater-than or lesser-than for this attribute.>
> It has to do with the LDAP protocol that LDAP lets schema define
> attributes in ways that forbid substring and range filters.
LDAP models (see RFC 4512) allows this kind of schema definitions.
Sometimes it makes sense to e.g. explicitly omit matching rules.
So it's not a deficiency of the "LDAP protocol".
The object class shadowAccount and its attribute shadowExpire was
defined in RFC 2307 and schema shipped with OpenLDAP just sticks with
that. One has to remember that the object class shadowAccount was
defined for providing a simple shadow map on Unixoid systems. Thus the
attribute shadowExpire was never meant to be used in LDAP search operations.
You would have to publish a revised RFC for fixing that.
But nobody will work on that. It's because you should never ever rely on
attribute shadowExpire for password expiry because it's only enforced
when processing a shadow map on a Unixoid system and it's useless for
password expiry when processing LDAP bind operations.
Furthermore for user changing his/her own password I often see an ACL
like that:
access to
attrs=userPassword,shadowExpire
by group="cn=slapd Password Admins,dc=example,dc=com" write
by self write
by anonymous auth
Can you see what's wrong with it?
(Actually there are two issues in the above ACL.)
To summarize the summary of the summary:
=> Use slapo-ppolicy for enforcing password expiry instead.
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature