[389-users] ldapsearch to get users with expired password
Juan Asensio Sánchez
okelet at gmail.com
Wed Mar 16 12:45:07 UTC 2011
Hi
Thanks for the answer, but my users don't have the attribute
passwordexpirationtime, because this attribute is not generated until
the user login after the activation of the account/password policies.
Reading, I have seen that when a user binds to the server, the server
returns some controls indicating the expiring/expired password, if in
case. But I can not bind with the user as I don't have it's password,
so I can not get the controls that would return a bind with its user.
Could I simulate this using a proxy auth, ie, binding as Directory
Manager, but simulating a login of the user? Would this need some
special ACI? I am a bit lost...
Thanks in advance.
2011/2/28 James Roman <james.roman at ssaihq.com>:
> On 02/28/2011 07:08 AM, Juan Asensio Sánchez wrote:
>
> Is there any way to obtain the users with expired/expiring password?
>
> Hi have activated the password policy, making the password expire
> after X days, and warn them after X-10 days. Now, I want to create a
> cron job to send an email to users warning them about its password
> expiration. I know I can get that information about the user is
> binding, but not for the users obtained from a search.
>
> Filters are your friend.
>
> To select passwords that have expired since midnight, you would use the
> following filter (using today's date Feb 28 2011):
> "(passwordexpirationtime<=20110228000000Z)"
>
> To select users with passwords expiring in the next 10 days (passwords
> expire between today at midnight AND Mar. 10 at midnight):
> "(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z))"
>
> You may need to add additional filter terms as well. The script that we use
> also filters out (excludes) inactive accounts (since we don't delete
> accounts from our directory.) Inactivated accounts in our directory all
> belong to a single group (and we have the group memberof plugin enabled):
> "(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(!
> (memberOf=cn=inactivated,cn=account
> inactivation,cn=accounts,dc=domain,dc=com))))"
>
> Depending on how your directory is designed, it might make more sense to
> eliminate users with the nsaccountlock attribute set to true:
> "(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(!
> (nsaccountlock=true))))"
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
More information about the 389-users
mailing list