CLI management of users activate/deactivate and expiration date

Regarding cli tool udm, is there a way to activate/deactivate users wit it? I can’t seem to find one …

Also, related question, how can I get a list of users whose expiration date is say 2019 (any day)? This does not seem to work although I have such users:

# udm users/user list --filter username=*ont2 | grep userexp
  userexpiry: 2019-07-01
# udm users/user list --filter userexpiry=2019*

many thanks in advance


$ udm users/user modify --dn <DN> --set disabled=1

This is a bit tricky. The values are stored in a strange format with timezone in the LDAP attribute shadowExpire. Use univention-ldapsearch to see it:

$ univention-ldapsearch -LLL uid=<USERNAME> shadowExpire

Then multiply the value with the number of seconds of a day (3600 * 24) and use the result as a UNIX timestamp (seconds since “epoch” → 1.1.1970).

Lets say you set the userexpiry value to 16.08.2019:

$ udm users/user modify --dn <DN> --set userexpiry=2019-08-16
$ univention-ldapsearch -LLL uid=<USERNAME> shadowExpire
dn: <DN>
shadowExpire: 18124
$ echo $(( 18124 * 3600 * 24 ))
$ date -d @1565913600
Fr 16. Aug 02:00:00 CEST 2019

You can use udm to search for the value of an LDAP attribute:

udm users/user list --filter shadowExpire=18124

So to calculate the reverse (get the value of 01.01.2019) you can just set it and read the LDAP value - no need to calculate it :slight_smile:

$ udm users/user modify --dn <DN> --set userexpiry=2019-01-01
$ univention-ldapsearch -LLL uid=<USERNAME> shadowExpire
dn: <DN>
shadowExpire: 17897
$ udm users/user list --filter shadowExpire=17897 | grep DN
DN: <DN>

Now to find users with newer expiry date, just use the >= symbol:

udm users/user list --filter 'shadowExpire>=17897' | grep DN

The < <= = > symbols are also available.

To get users deactivated in 2019 (17897) but before 2020 (18262) you’ll have to combine them using the LDAP filter syntax:

udm users/user list --filter '(&(shadowExpire>=17897)(shadowExpire<=18262))'


1 Like