0

I know that we can create new LDAP attributes and attach them to users.

What I am not able to find is if there a capability to create a new LDAP attribute which is the result of a subtraction between an existing attribute and time e.g.

If CurrentTime - PasswordExpiration < 0 then true, else false

Is something like this feasible?

Improve this question

1 Answer 1

Reset to default
1

No, computed attributes (or views, or similar) are not part of LDAP. Most implementations only have certain predefined dynamic attributes but do not allow this kind of flexibility through LDAP alone.

For example, in OpenLDAP, this would be possible through creating an "overlay" in C and installing it on the LDAP server, but not otherwise.

Though your example in particular doesn't seem very useful, because you're comparing against external data, so you can just search for (passwordExpiration<=[current time goes here]) instead of trying to implement (isPasswordExpired=TRUE).

Improve this answer
2
  • Thanks for the quick response. Just a clarification. Isn't this considered the same as my initial approach since again a check needs to be performed with an external source?
    – Bagoline
    Commented Mar 8, 2021 at 11:43
  • No, because the check is done as part of the search filter, but does not influence the received attribute values. (In terms of SQL, you cannot create dynamic "views" in LDAP, but you can still query "SELECT WHERE expiry<12345" from static tables.)
    – grawity
    Commented Mar 8, 2021 at 11:48

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .