[389-users] ldapsearch to get users with expired password

James Roman james.roman at ssaihq.com
Mon Feb 28 13:51:57 UTC 2011


On 02/28/2011 07:08 AM, Juan Asensio Sánchez wrote:
> Is there any way to obtain the users with expired/expiring password?
>
> Hi have activated the password policy, making the password expire
> after X days, and warn them after X-10 days. Now, I want to create a
> cron job to send an email to users warning them about its password
> expiration. I know I can get that information about the user is
> binding, but not for the users obtained from a search.
>
Filters are your friend.

To select passwords that have expired since midnight, you would use the 
following filter (using today's date Feb 28 2011):
"(passwordexpirationtime<=20110228000000Z)"

To select users with passwords expiring in the next 10 days (passwords 
expire between today at midnight AND Mar. 10 at midnight):
"(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z))" 


You may need to add additional filter terms as well. The script that we 
use also filters out (excludes) inactive accounts (since we don't delete 
accounts from our directory.) Inactivated accounts in our directory all 
belong to a single group (and we have the group memberof plugin enabled):
"(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(! 
(memberOf=cn=inactivated,cn=account 
inactivation,cn=accounts,dc=domain,dc=com))))"

Depending on how your directory is designed, it might make more sense to 
eliminate users with the nsaccountlock attribute set to true:
"(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(! 
(nsaccountlock=true))))"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110228/65ff1aeb/attachment.html>


More information about the 389-users mailing list