[389-users] ldapsearch to get users with expired password

Tue Mar 22 20:36:25 UTC 2011

On 03/16/2011 06:45 AM, Juan Asensio Sánchez wrote:
> Hi
>
> Thanks for the answer, but my users don't have the attribute
> passwordexpirationtime, because this attribute is not generated until
> the user login after the activation of the account/password policies.
>
> Reading, I have seen that when a user binds to the server, the server
> returns some controls indicating the expiring/expired password, if in
> case. But I can not bind with the user as I don't have it's password,
> so I can not get the controls that would return a bind with its user.
> Could I simulate this using a proxy auth, ie, binding as Directory
> Manager, but simulating a login of the user? Would this need some
> special ACI? I am a bit lost...
I suppose you could use createTimestamp if passwordexpirationtime is not 
present.
> Thanks in advance.
>
> 2011/2/28 James Roman<james.roman at ssaihq.com>:
>> On 02/28/2011 07:08 AM, Juan Asensio Sánchez wrote:
>>
>> Is there any way to obtain the users with expired/expiring password?
>>
>> Hi have activated the password policy, making the password expire
>> after X days, and warn them after X-10 days. Now, I want to create a
>> cron job to send an email to users warning them about its password
>> expiration. I know I can get that information about the user is
>> binding, but not for the users obtained from a search.
>>
>> Filters are your friend.
>>
>> To select passwords that have expired since midnight, you would use the
>> following filter (using today's date Feb 28 2011):
>> "(passwordexpirationtime<=20110228000000Z)"
>>
>> To select users with passwords expiring in the next 10 days (passwords
>> expire between today at midnight AND Mar. 10 at midnight):
>> "(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z))"
>>
>> You may need to add additional filter terms as well. The script that we use
>> also filters out (excludes) inactive accounts (since we don't delete
>> accounts from our directory.) Inactivated accounts in our directory all
>> belong to a single group (and we have the group memberof plugin enabled):
>> "(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(!
>> (memberOf=cn=inactivated,cn=account
>> inactivation,cn=accounts,dc=domain,dc=com))))"
>>
>> Depending on how your directory is designed, it might make more sense to
>> eliminate users with the nsaccountlock attribute set to true:
>> "(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(!
>> (nsaccountlock=true))))"
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users