Expire Accounts Not Used in 30 Days


Cool Tool: lastlogin - Generate Report Based on Last Login Time This is a great script, many thanks to Don for his sterling efforts.

I have a client whose requirement (set by the pesky auditors!) is to automatically expire any account that hasn't been used in the last 30 days, so I amended the script to allow this type of functionality:

# Modified to take into account whether the account is enabled or disabled

# This is specified by the attribute 'logindisabled' and is either TRUE or FALSE

# The -e parameter has been defined so you can filter on only enabled accounts

# The report has also been modified to detail the logindisabled state

# The original 'delfile.ldif' has been modified to an 'expfile.ldif' - this

# contains the ldap modify statements required to change the logindisabled state

# N.B. To reset the TRUE/FALSE field via ldap you seem to need to 'delete' the

# existing attribute and then add back the required state

# Additionally, you need the "-" line between the delete and add....

Example of the ice command required to import the generated file:

ice   -l <icelog> -S LDIF -c -f expfile.ldif	\
-D LDAP -s <server> -p<port> -d <admindn> -w <adminpw>



Comment List