0

When I try to search my OpenLDAP 2.4.42 server for (shadowExpire<=18074), I get no results. However, a search for (shadowExpire=12671) yields several results.

My ultimate goal is to periodically regenerate a Postfix map for check_recipient_access to reject mail to expired accounts.

Looking at the server's /etc/ldap/schema/nis.schema, I see:

attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

This agrees with RFC 2307 Section 3, which specifies:

( nisSchema.1.10 NAME 'shadowExpire'
  EQUALITY integerMatch
  SYNTAX 'INTEGER' SINGLE-VALUE )

Both of those suggest that shadowExpire only supports equality searches only.

However, RFC 2307bis has:

( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
    EQUALITY integerMatch
    ORDERING integerOrderingMatch
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
    SINGLE-VALUE )

… which has ORDERING integerOrderingMatch, allowing the inequality search to work.

Can I hack my server's nis.schema to include ORDERING integerOrderingMatch? The underlying representation would still be an INTEGER, so it should be harmless, right? (Despite the warning in the OpenLDAP Administrator's Guide that says "you should not modify any of the schema items defined in provided files.)

Community
  • 1
200_success
  • 4,701
  • 1
  • 24
  • 42

1 Answers1

0

You correctly analyzed the missing ordering matching rule.

However you should not alter schema files shipped with OpenLDAP like nis.schema. But you could use an alternative schema file rfc2307bis.schema instead. Some Linux distributions already ship this file.

Note that usage of nis.schema and rfc2307bis.schema is mutually exclusive.

Michael Ströder
  • 909
  • 5
  • 9