[389-users] Determine when a password is about to expire

James Roman james.roman at ssaihq.com
Fri Jan 21 15:16:50 UTC 2011 

Most LDAP servers use a different schema than the Microsoft version and 
work from the opposite direction. Try querying "passwordexpirationtime". 
You can do a search for the specific password schema with the following 
info: 2.16.840.1.113730.3.2.12  passwordObject

I think it is more common to:
1. administratively set the password on a user account
2. set the password expiration to occur immediately.
3. set the passwordGraceUserTime for a time period that allows the user 
to log in solely to change their password.

However, you must explicitly program your site to gracefully handle this 
situation (condition where passwordexpirationtime < now < 
passwordGraceUserTime) , since the user's LDAP authentication attempt 
against the directory will fail (with an error indicating the password 
has expired).

On 01/21/2011 09:45 AM, harry.devine at faa.gov wrote:
>
> I am in the process of creating a web-based mechanism to allow our 
> users to change their password on our new 389-ds server.  I would like 
> to display the date that their password is due to expire, and while 
> Googling around, I see a lot of references to pwdLastSet, but about 
> 95% of the articles are referring to Active Directory.  I don't see 
> pwdLastSet amongst the attributes in my default 389-ds setup.  Is it 
> there, or do I have to add that attribute to every account?
>
> Also, I currently have my pages set up where, when the user logs in, 
> it detects our 'default' password and forces them to change it.  Is 
> there some attribute in their account that I can set that I can key 
> off of and force them to change their password when they login to my 
> site?
>
> Thanks for any tips!
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218
> Harry.Devine at faa.gov
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110121/b119eceb/attachment.html>

More information about the 389-users mailing list