Regarding cli tool udm, is there a way to activate/deactivate users wit it? I can’t seem to find one …
Also, related question, how can I get a list of users whose expiration date is say 2019 (any day)? This does not seem to work although I have such users:
# udm users/user list --filter username=*ont2 | grep userexp
userexpiry: 2019-07-01
# udm users/user list --filter userexpiry=2019*
userexpiry=2019*
many thanks in advance
Hello,
$ udm users/user modify --dn <DN> --set disabled=1
This is a bit tricky. The values are stored in a strange format with timezone in the LDAP attribute shadowExpire. Use univention-ldapsearch to see it:
$ univention-ldapsearch -LLL uid=<USERNAME> shadowExpire
Then multiply the value with the number of seconds of a day (3600 * 24) and use the result as a UNIX timestamp (seconds since “epoch” → 1.1.1970).
Lets say you set the userexpiry value to 16.08.2019:
$ udm users/user modify --dn <DN> --set userexpiry=2019-08-16
$ univention-ldapsearch -LLL uid=<USERNAME> shadowExpire
dn: <DN>
shadowExpire: 18124
$ echo $(( 18124 * 3600 * 24 ))
1565913600
$ date -d @1565913600
Fr 16. Aug 02:00:00 CEST 2019
You can use udm to search for the value of an LDAP attribute:
udm users/user list --filter shadowExpire=18124
So to calculate the reverse (get the value of 01.01.2019) you can just set it and read the LDAP value - no need to calculate it 
$ udm users/user modify --dn <DN> --set userexpiry=2019-01-01
$ univention-ldapsearch -LLL uid=<USERNAME> shadowExpire
dn: <DN>
shadowExpire: 17897
$ udm users/user list --filter shadowExpire=17897 | grep DN
DN: <DN>
Now to find users with newer expiry date, just use the >= symbol:
udm users/user list --filter 'shadowExpire>=17897' | grep DN
The < <= = > symbols are also available.
To get users deactivated in 2019 (17897) but before 2020 (18262) you’ll have to combine them using the LDAP filter syntax:
udm users/user list --filter '(&(shadowExpire>=17897)(shadowExpire<=18262))'
Greetings
Daniel