4.7. Account Policy Plug-in Attributes

Account policies can be set that automatically lock an account after a certain amount of time has elapsed. This can be used to create temporary accounts that are only valid for a preset amount of time or to lock users which have been inactive for a certain amount of time.
The Account Policy Plug-in itself only accept on argument, which points to a plug-in configuration entry.
dn: cn=Account Policy Plugin,cn=plugins,cn=config
...
nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
The account policy configuration entry defines, for the entire server, what attributes to use for account policies. Most of the configuration defines attributes to use to evaluate account policies and expiration times, but the configuration also defines what object class to use to identify subtree-level account policy definitions.
dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: config

... attributes for evaluating accounts ...
alwaysRecordLogin: yes
stateattrname: lastLoginTime
altstateattrname: createTimestamp

... attributes for account policy entries ...
specattrname: acctPolicySubentry
limitattrname: accountInactivityLimit
One the plug-in is configured globally, account policy entries can be created within the user subtrees, and then these policies can be applied to users and to roles through classes of service.

Example 4.2. Account Policy Definition

dn: cn=AccountPolicy,dc=example,dc=com
objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
# 86400 seconds per day * 30 days = 2592000 seconds
accountInactivityLimit: 2592000
cn: AccountPolicy
Any entry, both individual users and roles or CoS templates, can be an account policy subentry. Every account policy subentry has its creation and login times tracked against any expiration policy.

Example 4.3. User Account with Account Policy

dn: uid=scarter,ou=people,dc=example,dc=com
...
lastLoginTime: 20060527001051Z
acctPolicySubentry: cn=AccountPolicy,dc=example,dc=com

4.7.1. altstateattrname

Account expiration policies are based on some timed criteria for the account. For example, for an inactivity policy, the primary criteria may be the last login time, lastLoginTime. However, there may be instances where that attribute does not exist on an entry, such as a user who never logged into his account. The altstateattrname attribute provides a backup attribute for the server to reference to evaluate the expiration time.
Parameter Description
Entry DN cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
Valid Range Any time-based entry attribute
Default Value None
Syntax DirectoryString
Example altstateattrname: createTimeStamp

4.7.2. alwaysRecordLogin

By default, only entries which have an account policy directly applied to them — meaning, entries with the acctPolicySubentry attribute — have their login times tracked. If account policies are applied through classes of service or roles, then the acctPolicySubentry attribute is on the template or container entry, not the user entries themselves.
The alwaysRecordLogin attribute sets that every entry records its last login time. This allows CoS and roles to be used to apply account policies.
Parameter Description
Entry DN cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
Valid Range yes | no
Default Value no
Syntax DirectoryString
Example alwaysRecordLogin: no

4.7.3. alwaysRecordLoginAttr

The Account Policy plug-in uses the attribute name set in the alwaysRecordLoginAttr parameter to store the time of the last successful login in this attribute in the user's directory entry. For further information, see the corresponding section in the Directory Server Administration Guide.
Parameter Description
Entry DN cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
Valid Range Any valid attribute name
Default Value stateAttrName
Syntax DirectoryString
Example alwaysRecordLoginAttr: lastLoginTime

4.7.4. limitattrname

The account policy entry in the user directory defines the time limit for the account lockout policy. This time limit can be set in any time-based attribute, and a policy entry could have multiple time-based attributes in ti. The attribute within the policy to use for the account inactivation limit is defined in the limitattrname attribute in the Account Policy Plug-in, and it is applied globally to all account policies.
Parameter Description
Entry DN cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
Valid Range Any time-based entry attribute
Default Value None
Syntax DirectoryString
Example limitattrname: accountInactivityLimit

4.7.5. specattrname

There are really two configuration entries for an account policy: the global settings in the plug-in configuration entry and then yser- or subtree-level settings in an entry within the user directory. An account policy can be set directly on a user entry or it can be set as part of a CoS or role configuration. The way that the plug-in identifies which entries are account policy configuration entries is by identifying a specific attribute on the entry which flags it as an account policy. This attribute in the plug-in configuration is is specattrname; its will usually be set to acctPolicySubentry.
Parameter Description
Entry DN cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
Valid Range Any time-based entry attribute
Default Value None
Syntax DirectoryString
Example specattrname: acctPolicySubentry

4.7.6. stateattrname

Account expiration policies are based on some timed criteria for the account. For example, for an inactivity policy, the primary criteria may be the last login time, lastLoginTime. The primary time attribute used to evaluate an account policy is set in the stateattrname attribute.
Parameter Description
Entry DN cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
Valid Range Any time-based entry attribute
Default Value None
Syntax DirectoryString
Example stateattrname: lastLoginTime