This example deletes all unverified account entries that have not been accessed in the past eight weeks. They could be accounts that potential customers started to create through an application's registration process, but then did not complete. The phone number or email address that was provided during registration was not verified, and should be allowed to be used by another account. The server can track the last access time automatically in the ds-last-access-time attribute by enabling the Last Access Time plugin.

  1. If necessary, enable the Last Access Time plugin:
    $ bin/dsconfig set-plugin-prop \
      --plugin-name "Last Access Time" \
      --set enabled:true
  2. The Purge Expired Data plugin requires the date attribute that is used to determine expiration to be indexed for ordering. An index on that attribute must be created:
    $ bin/dsconfig create-local-db-index \
      --backend-name userRoot \
      --index-name ds-last-access-time \
      --set index-type:ordering
  3. If there is data present in the directory, rebuild the index:
    $ bin/rebuild-index \
      --baseDN dc=example,dc=com \
      --index ds-last-access-time
  4. Create the plugin that purges account entries objectclass=account that are not verified verified=false after eight weeks of inactivity:
    $ bin/dsconfig create-plugin \
      --plugin-name "Purge Old Unvalidated Accounts" \
      --type purge-expired-data \
      --set enabled:true \
      --set datetime-attribute:ds-last-access-time \
      --set "expiration-offset:8 w" \
      --set "filter:(&(objectClass=account)(verified=false))"