How can we handle expired users with LDAP (Active Directory) user federation? Does the provider already consider the accountExpires attribute or is it necessary to configure this?
From what I found out so far is that I could filter for users that are not expired with a ‘User LDAP filter’ like
(&(objectCategory=person)(objectClass=user)(accountExpires>now))
so expired users are simply not found and login fails. But how could I replace ‘now’ with the current timestamp?
Also it seems that if a user has accountExpires=0 or accountExpires=9223372036854775807, they are also not expired (never expire I suppose).