Fwd: [Fedora-directory-users] Password Warnings
Rich Megginson
rmeggins at redhat.com
Fri Mar 7 19:18:54 UTC 2008
Legatus wrote:
> I did that. I know I have done that in the past. I see on one account
> the passwordExpWarned, I don't see passwordExpirationTime. We need to
> be able to give users warnings that the password will expire in N
> days. Am I looking in the wrong place, or is there a setting I
> haven't set? I set up a policy that is supposed to expire passwords,
> and warn users.
One thing is that a user who has not had his/her password changed since
password expiration was enabled will not have the passwordExpirationTime
attribute in his/her entry, but you could add it manually.
Another thing - I'm not sure how it is possible that a user could have
the passwordExpWarned but not the passwordExpirationTime attribute.
Just looking at the code, everywhere it sets passwordExpWarned it also
sets passwordExpirationTime.
I started with an existing database (Example.ldif)
I then enabled password expiration - ldapsearch showed no
passwordExpWarned nor passwordExpirationTime
Then, as directory manager, I used ldapmodify to modify a user's
password - the search showed this:
ldapsearch -D "cn=directory manager" ... "uid=scarter"
passwordExpirationTime passwordExpWarned
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: uid=scarter
# requesting: passwordExpirationTime passwordExpWarned
#
# scarter, People, example.com
dn: uid=scarter, ou=People, dc=example,dc=com
passwordExpirationTime: 20080615185146Z
passwordExpWarned: 0
>
> On Fri, Mar 7, 2008 at 11:17 AM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> Legatus wrote:
> > I have tried with this search, and also using the userid that I am
> > requesting the information from. So "uid=me,ou=people,dc=mydc"
> to get
> > info on "uid=me,ou=people,dc=mydc"
> >
> > ldapsearch -x -b 'ou=people,dc=mydc' -s sub -D 'cn=directory
> manager'
> > -w <password> "objectclass=*" attrs="passwordExpWarned
> > passwordExpirationTime"
> Don't use attrs="..." Just specify them on the command line - ...
> "objectclass=*" passwordExpWarned passwordExpirationTime
> If you want all regular attributes plus the additional operational
> attributes, use "*" e.g.
> ldapsearch .... "objectclass=*" \* passwordExpWarned
> passwordExpirationTime
> ldapsearch --help
> ...
> usage: ldapsearch [options] [filter [attributes...]]
> where:
> filter RFC-2254 compliant LDAP search filter
> attributes whitespace-separated list of attribute descriptions
>
> Note that openldap has a special attribute called "+" but this is not
> supported by Fedora DS.
> >
> >
> > On Fri, Mar 7, 2008 at 9:39 AM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> > <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>> wrote:
> >
> > Legatus wrote:
> > > I am new to the list, and I apologize if this question has
> been
> > > answered before.
> > >
> > > I haven't done much programming for LDAP, though I have been
> > managing
> > > directories for years. I am working with some developers,
> who a)
> > > aren't very imaginative, b) not very clever, and c) lazy.
> So I need
> > > to know how to get at the password information that says a
> password
> > > has expired, is about to expire, et. al. I have tried to query
> > for the
> > > attributes using ldapsearch that seem to be what I want, like
> > > passwordexpirationtime, but I get nothing back.
> > Can you post your exact ldapsearch command line? Note that
> > passwordexpirationtime and other password attributes in user
> > entries are
> > operational attributes - this means they are not retrieved
> by default
> > with an LDAP search but must be explicitly listed in the list of
> > attributes to retrieve.
> > > They all figure I should know the magic incantation, since I
> > know how
> > > to make the directory work, and usually that would be the
> case. This
> > > time I am stuck. Anyone solved this problem. I am running
> FDS 1.0.2,
> > > and 1.0.4. I get the same result in both. Any help would
> be great.
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> > <mailto:Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>>
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >
> >
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> > <mailto:Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>>
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> >
> >
> ------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> <mailto:Fedora-directory-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20080307/a09e3255/attachment.bin>
More information about the 389-users
mailing list