When I try to search my OpenLDAP 2.4.42 server for (shadowExpire<=18074), I get no results. However, a search for (shadowExpire=12671) yields several results.
My ultimate goal is to periodically regenerate a Postfix map for check_recipient_access to reject mail to expired accounts.
Looking at the server's /etc/ldap/schema/nis.schema, I see:
attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
This agrees with RFC 2307 Section 3, which specifies:
( nisSchema.1.10 NAME 'shadowExpire'
EQUALITY integerMatch
SYNTAX 'INTEGER' SINGLE-VALUE )
Both of those suggest that shadowExpire only supports equality searches only.
However, RFC 2307bis has:
( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
… which has ORDERING integerOrderingMatch, allowing the inequality search to work.
Can I hack my server's nis.schema to include ORDERING integerOrderingMatch? The underlying representation would still be an INTEGER, so it should be harmless, right? (Despite the warning in the OpenLDAP Administrator's Guide that says "you should not modify any of the schema items defined in provided files.)
You correctly analyzed the missing ordering matching rule.
However you should not alter schema files shipped with OpenLDAP like
nis.schema. But you could use an alternative schema filerfc2307bis.schemainstead. Some Linux distributions already ship this file.Note that usage of
nis.schemaandrfc2307bis.schemais mutually exclusive.