[389-users] Determine when a password is about to expire

Rich Megginson rmeggins at redhat.com
Fri Jan 21 20:17:07 UTC 2011 

On 01/21/2011 12:20 PM, Aaron Hagopian wrote:
> Harry,
>
> This is the pattern I use to parse the date in java: 
> "yyyyMMddHHmmss'Z'".  You can probably deduce what the values 
> represent by looking at the pattern.  Also the times are stored in UTC 
> so you'll probably want to convert that to the local timezone if 
> you're going to display the date/time to the user.
>
> Aaron
>
> 2011/1/21 <harry.devine at faa.gov <mailto:harry.devine at faa.gov>>
>
>
>     I can get the passwordexpirationtime value, but I'm unsure what
>     you mean by "set the password expiration to occur immediately".
>      I'm coming from the Windows world, so I'm used to the "User must
>     change password at next logon" checkbox.  I don't see that
>     anywhere on the GUI, so I'm unclear how you set that.
>
>     Also, how do I manipulate the dates?  I get something similar to
>     20110122161029Z (for example) for passwordexpirationtime.  How do
>     I convert that to a proper date format?
>
What programming language are you using?
http://en.wikipedia.org/wiki/ISO_8601 - the format is used with no 
separators (e.g. 20110122 instead of 2011-01-22) and no "T" between the 
date and the time.
>
>     Also, I just changed my account's password while testing, and I
>     see that passwordexpirationtime got reset to 19700101000000Z.
>      What does the 1970xxx value represent?
>
That is a special value meaning the password needs to be changed.
>
>
>     Thanks,
>     Harry
>
>     Harry Devine
>     Common ARTS Software Development
>     AJT-144
>     (609)485-4218
>     Harry.Devine at faa.gov <mailto:Harry.Devine at faa.gov>
>
>
>     From: 	James Roman <james.roman at ssaihq.com
>     <mailto:james.roman at ssaihq.com>>
>     To: 	
>     389-users at lists.fedoraproject.org
>     <mailto:389-users at lists.fedoraproject.org>
>     Date: 	01/21/2011 10:17 AM
>     Subject: 	Re: [389-users] Determine when a password is about to
>     expire
>     Sent by: 	389-users-bounces at lists.fedoraproject.org
>     <mailto:389-users-bounces at lists.fedoraproject.org>
>
>
>     ------------------------------------------------------------------------
>
>
>
>     Most LDAP servers use a different schema than the Microsoft
>     version and work from the opposite direction. Try querying
>     "passwordexpirationtime". You can do a search for the specific
>     password schema with the following info: 2.16.840.1.113730.3.2.12
>      passwordObject
>
>     I think it is more common to:
>     1. administratively set the password on a user account
>     2. set the password expiration to occur immediately.
>     3. set the passwordGraceUserTime for a time period that allows the
>     user to log in solely to change their password.
>
>     However, you must explicitly program your site to gracefully
>     handle this situation (condition where passwordexpirationtime <
>     now < passwordGraceUserTime) , since the user's LDAP
>     authentication attempt against the directory will fail (with an
>     error indicating the password has expired).
>
>     On 01/21/2011 09:45 AM, _harry.devine at faa.gov_
>     <mailto:harry.devine at faa.gov>wrote:
>
>     I am in the process of creating a web-based mechanism to allow our
>     users to change their password on our new 389-ds server.  I would
>     like to display the date that their password is due to expire, and
>     while Googling around, I see a lot of references to pwdLastSet,
>     but about 95% of the articles are referring to Active Directory.
>      I don't see pwdLastSet amongst the attributes in my default
>     389-ds setup.  Is it there, or do I have to add that attribute to
>     every account?
>
>     Also, I currently have my pages set up where, when the user logs
>     in, it detects our 'default' password and forces them to change
>     it.  Is there some attribute in their account that I can set that
>     I can key off of and force them to change their password when they
>     login to my site?
>
>     Thanks for any tips!
>     Harry
>
>     Harry Devine
>     Common ARTS Software Development
>     AJT-144
>     (609)485-4218_
>     __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
>
>
>     --
>     389 users mailing list
>     _389-users at lists.fedoraproject.org_
>     <mailto:389-users at lists.fedoraproject.org>
>     _https://admin.fedoraproject.org/mailman/listinfo/389-users_
>     --
>     389 users mailing list
>     389-users at lists.fedoraproject.org
>     <mailto:389-users at lists.fedoraproject.org>
>     https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>     --
>     389 users mailing list
>     389-users at lists.fedoraproject.org
>     <mailto:389-users at lists.fedoraproject.org>
>     https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110121/57767751/attachment.html>

More information about the 389-users mailing list