<br><font size=2 face="sans-serif">I'm using PHP since I'm trying to make
a web-based mechanism for our users to change their passwords. Many
of them aren't exactly tech-savvy, and are used to the old Windows way
of logging into our Windows machine, and being told that they must change
their password. I'm trying to come up with a way to do that for them.</font>
<br>
<br><font size=2 face="sans-serif">Thanks,</font>
<br><font size=2 face="sans-serif">Harry</font>
<br>
<br><font size=2 face="sans-serif">Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218<br>
Harry.Devine@faa.gov</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">From:</font>
<td><font size=1 face="sans-serif">Rich Megginson <rmeggins@redhat.com></font>
<br>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">To:</font>
<td><font size=1 face="sans-serif">389-users@lists.fedoraproject.org</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Date:</font>
<td><font size=1 face="sans-serif">01/21/2011 03:18 PM</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Subject:</font>
<td><font size=1 face="sans-serif">Re: [389-users] Determine when a password
is about to expire</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Sent by:</font>
<td><font size=1 face="sans-serif">389-users-bounces@lists.fedoraproject.org</font></table>
<br>
<hr noshade>
<br>
<br>
<br><font size=3>On 01/21/2011 12:20 PM, Aaron Hagopian wrote: </font>
<br><font size=3>Harry, </font>
<br>
<br><font size=3>This is the pattern I use to parse the date in java: "yyyyMMddHHmmss'Z'".
You can probably deduce what the values represent by looking at the
pattern. Also the times are stored in UTC so you'll probably want
to convert that to the local timezone if you're going to display the date/time
to the user. </font>
<br>
<br><font size=3>Aaron</font>
<br>
<br><font size=3>2011/1/21 <</font><a href=mailto:harry.devine@faa.gov><font size=3 color=blue><u>harry.devine@faa.gov</u></font></a><font size=3>></font>
<br><font size=2 face="sans-serif"><br>
I can get the passwordexpirationtime value, but I'm unsure what you mean
by "set the password expiration to occur immediately". I'm
coming from the Windows world, so I'm used to the "User must change
password at next logon" checkbox. I don't see that anywhere
on the GUI, so I'm unclear how you set that.</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
Also, how do I manipulate the dates? I get something similar to 20110122161029Z
(for example) for passwordexpirationtime. How do I convert that to
a proper date format?</font>
<br><font size=3>What programming language are you using?</font><font size=3 color=blue><u><br>
</u></font><a href=http://en.wikipedia.org/wiki/ISO_8601><font size=3 color=blue><u>http://en.wikipedia.org/wiki/ISO_8601</u></font></a><font size=3>
- the format is used with no separators (e.g. 20110122 instead of 2011-01-22)
and no "T" between the date and the time.</font>
<br><font size=2 face="sans-serif">Also, I just changed my account's password
while testing, and I see that passwordexpirationtime got reset to 19700101000000Z.
What does the 1970xxx value represent?</font><font size=3> </font>
<br><font size=3>That is a special value meaning the password needs to
be changed.</font>
<br><font size=2 face="sans-serif"><br>
Thanks,</font><font size=3> </font>
<br><font size=2 face="sans-serif">Harry</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font size=2 color=blue face="sans-serif"><u><br>
</u></font><a href=mailto:Harry.Devine@faa.gov target=_blank><font size=2 color=blue face="sans-serif"><u>Harry.Devine@faa.gov</u></font></a><font size=3>
<br>
<br>
</font>
<table width=100%>
<tr valign=top>
<td width=13%><font size=1 color=#5f5f5f face="sans-serif">From:</font><font size=3>
</font>
<td width=86%><font size=1 face="sans-serif">James Roman <</font><a href=mailto:james.roman@ssaihq.com target=_blank><font size=1 color=blue face="sans-serif"><u>james.roman@ssaihq.com</u></font></a><font size=1 face="sans-serif">></font><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">To:</font><font size=3>
</font>
<td><a href="mailto:389-users@lists.fedoraproject.org" target=_blank><font size=1 color=blue face="sans-serif"><u>389-users@lists.fedoraproject.org</u></font></a><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Date:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">01/21/2011 10:17 AM</font><font size=3>
</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Subject:</font><font size=3>
</font>
<td><font size=1 face="sans-serif">Re: [389-users] Determine when a password
is about to expire</font><font size=3> </font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Sent by:</font><font size=3>
</font>
<td><a href="mailto:389-users-bounces@lists.fedoraproject.org" target=_blank><font size=1 color=blue face="sans-serif"><u>389-users-bounces@lists.fedoraproject.org</u></font></a></table>
<br><font size=3><br>
</font>
<hr noshade>
<br><font size=3><br>
<br>
<br>
Most LDAP servers use a different schema than the Microsoft version and
work from the opposite direction. Try querying "passwordexpirationtime".
You can do a search for the specific password schema with the following
info: 2.16.840.1.113730.3.2.12 passwordObject<br>
<br>
I think it is more common to:<br>
1. administratively set the password on a user account<br>
2. set the password expiration to occur immediately.<br>
3. set the passwordGraceUserTime for a time period that allows the user
to log in solely to change their password.<br>
<br>
However, you must explicitly program your site to gracefully handle this
situation (condition where passwordexpirationtime < now < passwordGraceUserTime)
, since the user's LDAP authentication attempt against the directory will
fail (with an error indicating the password has expired).<br>
<br>
On 01/21/2011 09:45 AM, </font><a href=mailto:harry.devine@faa.gov target=_blank><font size=3 color=blue><u>harry.devine@faa.gov</u></font></a><font size=3>
wrote: </font><font size=2 face="sans-serif"><br>
<br>
I am in the process of creating a web-based mechanism to allow our users
to change their password on our new 389-ds server. I would like to
display the date that their password is due to expire, and while Googling
around, I see a lot of references to pwdLastSet, but about 95% of the articles
are referring to Active Directory. I don't see pwdLastSet amongst
the attributes in my default 389-ds setup. Is it there, or do I have
to add that attribute to every account?</font><font size=3> </font><font size=2 face="sans-serif"><br>
<br>
Also, I currently have my pages set up where, when the user logs in, it
detects our 'default' password and forces them to change it. Is there
some attribute in their account that I can set that I can key off of and
force them to change their password when they login to my site?</font><font size=3>
</font><font size=2 face="sans-serif"><br>
<br>
Thanks for any tips!</font><font size=3> </font><font size=2 face="sans-serif"><br>
Harry</font><font size=3> </font><font size=2 face="sans-serif"><br>
<br>
Harry Devine<br>
Common ARTS Software Development<br>
AJT-144<br>
(609)485-4218</font><font size=3 color=blue><u><br>
</u></font><a href=mailto:Harry.Devine@faa.gov target=_blank><font size=2 color=blue face="sans-serif"><u>Harry.Devine@faa.gov</u></font></a><font size=3>
</font><tt><font size=3><br>
<br>
<br>
--<br>
389 users mailing list</font></tt><font size=3 color=blue><u><br>
</u></font><a href="mailto:389-users@lists.fedoraproject.org" target=_blank><tt><font size=3 color=blue><u>389-users@lists.fedoraproject.org</u></font></tt></a><font size=3 color=blue><u><br>
</u></font><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target=_blank><tt><font size=3 color=blue><u>https://admin.fedoraproject.org/mailman/listinfo/389-users</u></font></tt></a><font size=3>
</font><tt><font size=2><br>
--<br>
389 users mailing list</font></tt><tt><font size=2 color=blue><u><br>
</u></font></tt><a href="mailto:389-users@lists.fedoraproject.org" target=_blank><tt><font size=2 color=blue><u>389-users@lists.fedoraproject.org</u></font></tt></a><font size=3 color=blue><u><br>
</u></font><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target=_blank><tt><font size=2 color=blue><u>https://admin.fedoraproject.org/mailman/listinfo/389-users</u></font></tt></a><font size=3>
<br>
</font>
<br><font size=3><br>
--<br>
389 users mailing list</font><font size=3 color=blue><u><br>
</u></font><a href="mailto:389-users@lists.fedoraproject.org"><font size=3 color=blue><u>389-users@lists.fedoraproject.org</u></font></a><font size=3 color=blue><u><br>
</u></font><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target=_blank><font size=3 color=blue><u>https://admin.fedoraproject.org/mailman/listinfo/389-users</u></font></a>
<br>
<br><tt><font size=3><br>
<br>
--<br>
389 users mailing list<br>
</font></tt><a href="mailto:389-users@lists.fedoraproject.org"><tt><font size=3 color=blue><u>389-users@lists.fedoraproject.org</u></font></tt></a><tt><font size=3><br>
</font></tt><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users"><tt><font size=3 color=blue><u>https://admin.fedoraproject.org/mailman/listinfo/389-users</u></font></tt></a>
<br><tt><font size=2>--<br>
389 users mailing list<br>
389-users@lists.fedoraproject.org<br>
</font></tt><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users"><tt><font size=2>https://admin.fedoraproject.org/mailman/listinfo/389-users</font></tt></a>
<br>
<br>