[389-users] Determine when a password is about to expire
Rich Megginson
rmeggins at redhat.com
Fri Jan 21 20:17:07 UTC 2011
On 01/21/2011 12:20 PM, Aaron Hagopian wrote:
> Harry,
>
> This is the pattern I use to parse the date in java:
> "yyyyMMddHHmmss'Z'". You can probably deduce what the values
> represent by looking at the pattern. Also the times are stored in UTC
> so you'll probably want to convert that to the local timezone if
> you're going to display the date/time to the user.
>
> Aaron
>
> 2011/1/21 <harry.devine at faa.gov <mailto:harry.devine at faa.gov>>
>
>
> I can get the passwordexpirationtime value, but I'm unsure what
> you mean by "set the password expiration to occur immediately".
> I'm coming from the Windows world, so I'm used to the "User must
> change password at next logon" checkbox. I don't see that
> anywhere on the GUI, so I'm unclear how you set that.
>
> Also, how do I manipulate the dates? I get something similar to
> 20110122161029Z (for example) for passwordexpirationtime. How do
> I convert that to a proper date format?
>
What programming language are you using?
http://en.wikipedia.org/wiki/ISO_8601 - the format is used with no
separators (e.g. 20110122 instead of 2011-01-22) and no "T" between the
date and the time.
>
> Also, I just changed my account's password while testing, and I
> see that passwordexpirationtime got reset to 19700101000000Z.
> What does the 1970xxx value represent?
>
That is a special value meaning the password needs to be changed.
>
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218
> Harry.Devine at faa.gov <mailto:Harry.Devine at faa.gov>
>
>
> From: James Roman <james.roman at ssaihq.com
> <mailto:james.roman at ssaihq.com>>
> To:
> 389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>
> Date: 01/21/2011 10:17 AM
> Subject: Re: [389-users] Determine when a password is about to
> expire
> Sent by: 389-users-bounces at lists.fedoraproject.org
> <mailto:389-users-bounces at lists.fedoraproject.org>
>
>
> ------------------------------------------------------------------------
>
>
>
> Most LDAP servers use a different schema than the Microsoft
> version and work from the opposite direction. Try querying
> "passwordexpirationtime". You can do a search for the specific
> password schema with the following info: 2.16.840.1.113730.3.2.12
> passwordObject
>
> I think it is more common to:
> 1. administratively set the password on a user account
> 2. set the password expiration to occur immediately.
> 3. set the passwordGraceUserTime for a time period that allows the
> user to log in solely to change their password.
>
> However, you must explicitly program your site to gracefully
> handle this situation (condition where passwordexpirationtime <
> now < passwordGraceUserTime) , since the user's LDAP
> authentication attempt against the directory will fail (with an
> error indicating the password has expired).
>
> On 01/21/2011 09:45 AM, _harry.devine at faa.gov_
> <mailto:harry.devine at faa.gov>wrote:
>
> I am in the process of creating a web-based mechanism to allow our
> users to change their password on our new 389-ds server. I would
> like to display the date that their password is due to expire, and
> while Googling around, I see a lot of references to pwdLastSet,
> but about 95% of the articles are referring to Active Directory.
> I don't see pwdLastSet amongst the attributes in my default
> 389-ds setup. Is it there, or do I have to add that attribute to
> every account?
>
> Also, I currently have my pages set up where, when the user logs
> in, it detects our 'default' password and forces them to change
> it. Is there some attribute in their account that I can set that
> I can key off of and force them to change their password when they
> login to my site?
>
> Thanks for any tips!
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
>
>
> --
> 389 users mailing list
> _389-users at lists.fedoraproject.org_
> <mailto:389-users at lists.fedoraproject.org>
> _https://admin.fedoraproject.org/mailman/listinfo/389-users_
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110121/57767751/attachment.html>
More information about the 389-users
mailing list