[389-users] Determine when a password is about to expire

James Roman james.roman at ssaihq.com
Mon Jan 24 14:26:06 UTC 2011


When I went through this exercise, I learned that PHP alone was not 
going to work well, especially if you ever need to use password 
synchronization with another password system (I.E. AD sync). The PHP way 
of changing LDAP password essentially involves encrypting and encoding 
the password within your PHP application and writing that encrypted and 
encoded password directly to the user's password attribute. This 
prevents password synchronization to external systems. Ideally you want 
to use the ldapv3 ldappasswd mechanism for changing your password within 
the directory. That way the directory can read and propagate password 
changes correctly. Since PHP did not contain a ldappasswd module, I 
ended up writing a PHP front-end which passes the authentication request 
to separate Perl script to actually change the password. There is a 
similar sourceforge project called locksmith, but it also does the 
password changes the wrong way (and encodes shorter passwords 
improperly, if I remember correctly.)

On 01/21/2011 04:01 PM, harry.devine at faa.gov wrote:
>
> I'm using PHP since I'm trying to make a web-based mechanism for our 
> users to change their passwords.  Many of them aren't exactly 
> tech-savvy, and are used to the old Windows way of logging into our 
> Windows machine, and being told that they must change their password. 
>  I'm trying to come up with a way to do that for them.
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218
> Harry.Devine at faa.gov
>
>
> From: 	Rich Megginson <rmeggins at redhat.com>
> To: 	389-users at lists.fedoraproject.org
> Date: 	01/21/2011 03:18 PM
> Subject: 	Re: [389-users] Determine when a password is about to expire
> Sent by: 	389-users-bounces at lists.fedoraproject.org
>
>
> ------------------------------------------------------------------------
>
>
>
> On 01/21/2011 12:20 PM, Aaron Hagopian wrote:
> Harry,
>
> This is the pattern I use to parse the date in java: 
> "yyyyMMddHHmmss'Z'".  You can probably deduce what the values 
> represent by looking at the pattern.  Also the times are stored in UTC 
> so you'll probably want to convert that to the local timezone if 
> you're going to display the date/time to the user.
>
> Aaron
>
> 2011/1/21 <_harry.devine at faa.gov_ <mailto:harry.devine at faa.gov>>
>
> I can get the passwordexpirationtime value, but I'm unsure what you 
> mean by "set the password expiration to occur immediately".  I'm 
> coming from the Windows world, so I'm used to the "User must change 
> password at next logon" checkbox.  I don't see that anywhere on the 
> GUI, so I'm unclear how you set that.
>
> Also, how do I manipulate the dates?  I get something similar to 
> 20110122161029Z (for example) for passwordexpirationtime.  How do I 
> convert that to a proper date format?
> What programming language are you using?_
> __http://en.wikipedia.org/wiki/ISO_8601_- the format is used with no 
> separators (e.g. 20110122 instead of 2011-01-22) and no "T" between 
> the date and the time.
> Also, I just changed my account's password while testing, and I see 
> that passwordexpirationtime got reset to 19700101000000Z.  What does 
> the 1970xxx value represent?
> That is a special value meaning the password needs to be changed.
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
>
> From:	James Roman <_james.roman at ssaihq.com_ 
> <mailto:james.roman at ssaihq.com>>
> To:	_389-users at lists.fedoraproject.org_ 
> <mailto:389-users at lists.fedoraproject.org>
> Date:	01/21/2011 10:17 AM
> Subject:	Re: [389-users] Determine when a password is about to expire
> Sent by:	_389-users-bounces at lists.fedoraproject.org_ 
> <mailto:389-users-bounces at lists.fedoraproject.org>
>
>
>
> ------------------------------------------------------------------------
>
>
>
>
> Most LDAP servers use a different schema than the Microsoft version 
> and work from the opposite direction. Try querying 
> "passwordexpirationtime". You can do a search for the specific 
> password schema with the following info: 2.16.840.1.113730.3.2.12 
>  passwordObject
>
> I think it is more common to:
> 1. administratively set the password on a user account
> 2. set the password expiration to occur immediately.
> 3. set the passwordGraceUserTime for a time period that allows the 
> user to log in solely to change their password.
>
> However, you must explicitly program your site to gracefully handle 
> this situation (condition where passwordexpirationtime < now < 
> passwordGraceUserTime) , since the user's LDAP authentication attempt 
> against the directory will fail (with an error indicating the password 
> has expired).
>
> On 01/21/2011 09:45 AM, _harry.devine at faa.gov_ 
> <mailto:harry.devine at faa.gov>wrote:
>
> I am in the process of creating a web-based mechanism to allow our 
> users to change their password on our new 389-ds server.  I would like 
> to display the date that their password is due to expire, and while 
> Googling around, I see a lot of references to pwdLastSet, but about 
> 95% of the articles are referring to Active Directory.  I don't see 
> pwdLastSet amongst the attributes in my default 389-ds setup.  Is it 
> there, or do I have to add that attribute to every account?
>
> Also, I currently have my pages set up where, when the user logs in, 
> it detects our 'default' password and forces them to change it.  Is 
> there some attribute in their account that I can set that I can key 
> off of and force them to change their password when they login to my site?
>
> Thanks for any tips!
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJT-144
> (609)485-4218_
> __Harry.Devine at faa.gov_ <mailto:Harry.Devine at faa.gov>
>
>
> --
> 389 users mailing list_
> __389-users at lists.fedoraproject.org_ 
> <mailto:389-users at lists.fedoraproject.org>_
> __https://admin.fedoraproject.org/mailman/listinfo/389-users_
> --
> 389 users mailing list_
> __389-users at lists.fedoraproject.org_ 
> <mailto:389-users at lists.fedoraproject.org>_
> __https://admin.fedoraproject.org/mailman/listinfo/389-users_
>
>
> --
> 389 users mailing list_
> __389-users at lists.fedoraproject.org_ 
> <mailto:389-users at lists.fedoraproject.org>_
> __https://admin.fedoraproject.org/mailman/listinfo/389-users_
>
>
>
> --
> 389 users mailing list
> _389-users at lists.fedoraproject.org_ 
> <mailto:389-users at lists.fedoraproject.org>
> _https://admin.fedoraproject.org/mailman/listinfo/389-users_
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110124/e1898aca/attachment.html>


More information about the 389-users mailing list