HP-UX Directory Server 8.1 administrator guide

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

311

312

313

314

315

316

317

318

319

320

NOTE:

The inactivity limit value is in seconds. So, a 30-day limit is specified as 2592000 seconds (30

days * 24 hours * 60 minutes * 60 seconds).

5. Insert the specifier attribute acctPolicySubentry into entries that should be covered by

the policy. The value of the attribute should be the DN of the account policy entry created

in the preceding step. Specify this attribute as a real attribute, inserted into each entry using

a modify operation or as part of the initial addition of the entry, or as a virtual attribute,

supplied by the Class of Service plug-in. (For more information about advanced Class of

Service configurations, see “Assigning class of service” (page 187).) The following is an

example of how an account policy can be applied to all users in the

ou=people,dc=example,dc=com subtree.

dn: cn=AP CoS Tmpl,ou=people,dc=example,dc=com

objectClass: top

objectClass: costemplate

cn: AP CoS Tmpl

cosPriority: 0

acctPolicySubentry: cn=Account Policy,ou=people,example,dc=com

dn: cn=AP CoS Def,ou=people,dc=example,dc=com

objectClass: top

objectClass: ldapsubentry

objectClass: cossuperdefinition

objectClass: cosPointerDefinition

cn: AP CoS Def

cosAttribute: acctpolicysubentry operational

costemplatedn: cn=AP CoS Tmpl,ou=people,dc=example,dc=com

7.6.2 Provisioning account inactivity policies

The account policy plug-in records the last login time in the lastLoginTime attribute. However,

by default, an account that has never been logged into does not have a lastLoginTime attribute.

For newly created accounts, you have two options for providing this attribute:

• Provision a lastLoginTime attribute when you add the account entry.

• Rely on the plug-in's alternate timestamp mechanism, using the createTimestamp attribute,

which is present in all entries. The plug-in uses this attribute automatically if the entry lacks

the lastLoginTime attribute.

7.6.3 Managing users covered by an account inactivity policy

To determine which accounts are in violation of their account policy, perform a subtree search

with an equal-or-lesser-than filter. For example, if the current time is noon on August 20, 2009,

and you want to list accounts that have not logged in for 10 days, use the following filter:

"(&(createtimestamp<=200908101200000Z)(acctPolicySubentry=cn=Account Policy,ou=people,dc=example,dc=com))"

NOTE:

The timestamp is in generalized time format: year, month, day, hour, minute, second, and a “Z”

that indicates the time zone is Greenwich Mean Time (GMT) in UTC format.

To enable an account that is disabled due to inactivity, manually update the lastLoginTime

attribute value. The following example updates the attribute to August 20, 2009r.

changetype: modify

replace: lastLoginTime

lastLoginTime: 200908201200000Z

7.6 Using the account policy plug-in for inactivity limits 317