With OpenLDAP and the ppolicy overlay, one way to disable a user account is by setting the pwdAccountLockedTime. However, is it allowed to set this value to a future date so users account automatically expires?
From the tests I ran, this looks OK with OpenLDAP 2.6, but fails sometimes with OpenLDAP 2.4. I could not read anything in the password-policy reference, nor the ppolicy overlay documentation about this being either allowed or prevented.
Related links:
There are some clues in the OpenLDAP mailing list:
You can use ppolicy pwdAccountLockedTime attribute to 000001010000Z value to make all bind operation fails, but using an external mean, such as a cron task, as it is impossible to set a date in the future and hope ppolicy will start honours it once this time is reached.
pwdAccountLockedTime is an operational attribute used by the server to record when the password was actually locked. It does not mean 'lock the account at this time'. In OpenLDAP the mere presence of this attribute in an entry locks the password.
Since 2.5 OpenLDAP implements the pwdEndTime that can be used in that situation:
This attribute specifies the time the entry's password becomes invalid for authentication. Authentication attempts made after this time will fail, regardless of expiration or grace settings. If this attribute does not exist, then this restriction does not apply.
Related SO question: How to set account expiry date in openldap