问题描述

我希望在 openldap 中实施新的帐户策略，允许管理员设置用户帐户的到期日期.但是，我在对象类中找不到任何相关属性.

这与 pwdMaxAge 等密码属性无关.此策略用于订阅服务.一旦用户订阅服务器一段时间，管理员将设置订阅结束的帐户到期日期.用户在到期日之前通过身份验证，超过到期日将无法通过身份验证.

在 openldap 中可以这样做吗?我google了一下，发现微软的ActiveDirectory有AccountExpirationDate属性.

OpenLDAP 中没有直接支持帐户过期或其覆盖(甚至在 contrib/ 中也不支持).

Howard Chu 建议使用 ppolicy 的 pwdMaxAge 为此，它可以工作，但我发现这不太理想:如果您已经在使用 ppolicy 使密码过期(除了使帐户过期)，它会与这些设置冲突，如果您已经配置了宽限登录(这很明智)，用户可以更改他的密码，从而重置到期计时器.

因此似乎最佳方法来实现这一点(一个好的方法不是)是通过运行一个外部任务，将(ppolicy 属性)pwdAccountLockedTime 设置为指示手动锁定帐户的幻数，用户无法解锁.>

pwdAccountLockedTime

该属性包含用户帐户被锁定的时间.如果帐户已被锁定，则密码可能不再用于对目录的用户进行身份验证.如果pwdAccountLockedTime 设置为000001010000Z，则用户帐户已被永久锁定，只能由管理员解锁.请注意，帐户锁定仅在 pwdLockout 密码策略属性设置为TRUE"时生效.

此外部任务(最有可能是 cronjob)可以通过以下方式实现:它在循环时从用户记录上的自定义属性(例如 expirationTime)读取到期日期/时间在他们之上.这样你就可以在用户记录上存储到期时间/日期，但当然锁定完全依赖于这个外部任务的运行.

或者您可以编写自己的叠加层.

I wish to implement a new account policy in openldap that allow an administrator to set expiry date of user accounts. However, I can't find any related attribute in the object classes.

This is nothing related to password attributes like pwdMaxAge. The usage of this policy is for a subscription service. Once user has subscribed the server for a certain period, the administrator will set the account expiry date where subscription ends. User is authenticated if before expiry date and will fail to authenticated beyond the expiry date.

Is that possible to do so in openldap? I google and found that Microsoft's ActiveDirectory has AccountExpirationDate attribute.

There's no direct support for account expiration in OpenLDAP or it's overlays (not even in contrib/).

Howard Chu suggests using ppolicy's pwdMaxAge for this, which can be made to work, but I've found this less than ideal: If you're already using ppolicy for expiring passwords (in addition to expiring accounts), it will conflict with those settings and if you've configured grace logins (the sane thing to do), the user can change his password and thus reset the expiration timer.

So it seems the best way to implement this (and a good way it is not) is by running an external task that sets the (ppolicy attribute) pwdAccountLockedTime to the magic number that indicates a manually locked account, which cannot be unlocked by the user.

This external task (a cronjob, most likely) could be implemented in such a way that it reads the expiration date/time from a custom attribute (e.g. expirationTime) on the user record as it loops over them. That way you could store the expiration time/date on the user record, but of course the lockout relies entirely on this external task running.

Or you could write your own overlay.

这篇关于如何在openldap中设置帐户到期日期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！