[389-users] Determine when a password is about to expire

harry.devine at faa.gov harry.devine at faa.gov
Fri Jan 21 21:01:14 UTC 2011 

I'm using PHP since I'm trying to make a web-based mechanism for our users 
to change their passwords.  Many of them aren't exactly tech-savvy, and 
are used to the old Windows way of logging into our Windows machine, and 
being told that they must change their password.  I'm trying to come up 
with a way to do that for them.

Thanks,
Harry

Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine at faa.gov



From:
Rich Megginson <rmeggins at redhat.com>

To:
389-users at lists.fedoraproject.org
Date:
01/21/2011 03:18 PM
Subject:
Re: [389-users] Determine when a password is about to expire
Sent by:
389-users-bounces at lists.fedoraproject.org



On 01/21/2011 12:20 PM, Aaron Hagopian wrote: 
Harry, 

This is the pattern I use to parse the date in java: "yyyyMMddHHmmss'Z'". 
You can probably deduce what the values represent by looking at the 
pattern.  Also the times are stored in UTC so you'll probably want to 
convert that to the local timezone if you're going to display the 
date/time to the user. 

Aaron

2011/1/21 <harry.devine at faa.gov>

I can get the passwordexpirationtime value, but I'm unsure what you mean 
by "set the password expiration to occur immediately".  I'm coming from 
the Windows world, so I'm used to the "User must change password at next 
logon" checkbox.  I don't see that anywhere on the GUI, so I'm unclear how 
you set that. 

Also, how do I manipulate the dates?  I get something similar to 
20110122161029Z (for example) for passwordexpirationtime.  How do I 
convert that to a proper date format?
What programming language are you using?
http://en.wikipedia.org/wiki/ISO_8601 - the format is used with no 
separators (e.g. 20110122 instead of 2011-01-22) and no "T" between the 
date and the time.
Also, I just changed my account's password while testing, and I see that 
passwordexpirationtime got reset to 19700101000000Z.  What does the 
1970xxx value represent? 
That is a special value meaning the password needs to be changed.

Thanks, 
Harry 

Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine at faa.gov 


From: 
James Roman <james.roman at ssaihq.com> 
To: 
389-users at lists.fedoraproject.org 
Date: 
01/21/2011 10:17 AM 
Subject: 
Re: [389-users] Determine when a password is about to expire 
Sent by: 
389-users-bounces at lists.fedoraproject.org





Most LDAP servers use a different schema than the Microsoft version and 
work from the opposite direction. Try querying "passwordexpirationtime". 
You can do a search for the specific password schema with the following 
info: 2.16.840.1.113730.3.2.12  passwordObject

I think it is more common to:
1. administratively set the password on a user account
2. set the password expiration to occur immediately.
3. set the passwordGraceUserTime for a time period that allows the user to 
log in solely to change their password.

However, you must explicitly program your site to gracefully handle this 
situation (condition where passwordexpirationtime < now < 
passwordGraceUserTime) , since the user's LDAP authentication attempt 
against the directory will fail (with an error indicating the password has 
expired).

On 01/21/2011 09:45 AM, harry.devine at faa.gov wrote: 

I am in the process of creating a web-based mechanism to allow our users 
to change their password on our new 389-ds server.  I would like to 
display the date that their password is due to expire, and while Googling 
around, I see a lot of references to pwdLastSet, but about 95% of the 
articles are referring to Active Directory.  I don't see pwdLastSet 
amongst the attributes in my default 389-ds setup.  Is it there, or do I 
have to add that attribute to every account? 

Also, I currently have my pages set up where, when the user logs in, it 
detects our 'default' password and forces them to change it.  Is there 
some attribute in their account that I can set that I can key off of and 
force them to change their password when they login to my site? 

Thanks for any tips! 
Harry 

Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine at faa.gov 


--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users 
--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users 


--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110121/4272b56f/attachment.html>

More information about the 389-users mailing list