[GH-ISSUE #1383] [FEATURE REQUEST] inactive account timeout #484

New issue

Open

opened 2026-02-27 08:17:30 +03:00 by kerem · 1 comment

kerem commented

2026-02-27 08:17:30 +03:00

Owner

Originally created by @h-2 on GitHub (Jan 19, 2026).
Original GitHub issue: https://github.com/lldap/lldap/issues/1383

Motivation

I have a bunch of services that I offer to friends and family. Every so often, I talk to someone, and I am like: "You can do that without Google/Meta/...! Here, I will quickly set you up with an account, and you can try it out."

Sometimes the person will keep using my service(s). Often they won't (which is also fine). But then I have idle accounts which are needless attack surface.

Describe the solution you'd like

I'd like to have one of the following (in order of preference):

After 3 months of inactivity, disable account.
After 3 months of inactivity, remove user from all groups and add to group departed.
After 3 months of inactivity, reset password to long random string.

"inactivity" == time without successful login

Ideally, there would also be:

After 6 months of inactivity, delete account.

Ideally, there would also be an e-mail sent notifying the user (either before or after).

Describe alternatives you've considered

I have been told that this is difficult to do for LDAP servers, because they usually don't track logins. I have also been told that certain clients can do this, but I don't see that solving my problem. I don't want to track usage of specific services; it's totally fine and desired that some users will only use some services.

Additional context

I would guess that people who selfhost would appreciate such a feature? It would really help "server hygiene".

Originally created by @h-2 on GitHub (Jan 19, 2026). Original GitHub issue: https://github.com/lldap/lldap/issues/1383 **Motivation** I have a bunch of services that I offer to friends and family. Every so often, I talk to someone, and I am like: "You can do that without Google/Meta/...! Here, I will quickly set you up with an account, and you can try it out." Sometimes the person will keep using my service(s). Often they won't (which is also fine). But then I have idle accounts which are needless attack surface. **Describe the solution you'd like** I'd like to have one of the following (in order of preference): - [ ] After 3 months of inactivity, disable account. - [ ] After 3 months of inactivity, remove user from all groups and add to group `departed`. - [ ] After 3 months of inactivity, reset password to long random string. _"inactivity" == time without successful login_ Ideally, there would also be: - [ ] After 6 months of inactivity, delete account. Ideally, there would also be an e-mail sent notifying the user (either before or after). **Describe alternatives you've considered** I have been told that this is difficult to do for LDAP servers, because they usually don't track logins. I have also been told that certain clients can do this, but I don't see that solving my problem. I don't want to track usage of specific services; it's totally fine and desired that some users will only use some services. **Additional context** I would guess that people who selfhost would appreciate such a feature? It would really help "server hygiene".

kerem added the

enhancement

label

2026-02-27 08:17:30 +03:00

kerem commented

2026-02-27 08:17:30 +03:00

Author

Owner

@nitnelave commented on GitHub (Jan 19, 2026):

I'd leave that to a plugin, once we finish implementing the API. It should be relatively simple to implement (an LLM should be able to do that given proper docs).

@nitnelave commented on GitHub (Jan 19, 2026): I'd leave that to a plugin, once we finish implementing the API. It should be relatively simple to implement (an LLM should be able to do that given proper docs).

kerem referenced this issue

2026-02-27 09:09:41 +03:00

[PR #484] [MERGED] Create schema command #773