[389-users] Determine when a password is about to expire
James Roman
james.roman at ssaihq.com
Fri Jan 21 15:16:50 UTC 2011
Most LDAP servers use a different schema than the Microsoft version and
work from the opposite direction. Try querying "passwordexpirationtime".
You can do a search for the specific password schema with the following
info: 2.16.840.1.113730.3.2.12 passwordObject
I think it is more common to:
1. administratively set the password on a user account
2. set the password expiration to occur immediately.
3. set the passwordGraceUserTime for a time period that allows the user
to log in solely to change their password.
However, you must explicitly program your site to gracefully handle this
situation (condition where passwordexpirationtime < now <
passwordGraceUserTime) , since the user's LDAP authentication attempt
against the directory will fail (with an error indicating the password
has expired).
On 01/21/2011 09:45 AM, harry.devine at faa.gov wrote:
>
> I am in the process of creating a web-based mechanism to allow our
> users to change their password on our new 389-ds server. I would like
> to display the date that their password is due to expire, and while
> Googling around, I see a lot of references to pwdLastSet, but about
> 95% of the articles are referring to Active Directory. I don't see
> pwdLastSet amongst the attributes in my default 389-ds setup. Is it
> there, or do I have to add that attribute to every account?
>
> Also, I currently have my pages set up where, when the user logs in,
> it detects our 'default' password and forces them to change it. Is
> there some attribute in their account that I can set that I can key
> off of and force them to change their password when they login to my
> site?
>
> Thanks for any tips!
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218
> Harry.Devine at faa.gov
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110121/b119eceb/attachment.html>
More information about the 389-users
mailing list