Rich, Thanks - I can see them now. However, now I have questions about the semantics of password expiration. The NIS+ tables store the account (not password) expiration date as the absolute day number (from year 0). I'm trying to replicate these data in FDS. 1. First of all, I'm not sure that the password expiration feature does the same thing. When the password expires, will the user be prompted to change it or will he be locked out? 2. Second, I can't even test it, because I can't seem to force an expiration. The passwordMaxAge attribute is the number of days after which the password will expire. Well, it's the number of days *since when*? Since today? How is it updated then as the time goes by? Or since the first logon? Where is it stored then? I am truly missing something. The admin guide does not make it clear. Thanks, Simon Richard Megginson wrote on 11/09/2005 06:18 PM: > Those attributes are operational, so you must explicitly ask for them on > the ldapsearch command line e.g. > ldapsearch -b > 'cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu' > passwordMaxAge passwordWarning passwordMinAge passwordExp > passwordGraceLimit > > In addition, ldapsubentry objects are hidden from normal searches. You > must explicitly request objects of this type by adding the > (objectclass=ldapsubentry) to your search filter e.g. > '(|(objectclass=*)(objectclass=ldapsubentry))' > to get all regular entries and sub entries, or just > '(objectclass=ldapsubentry)' > to get only the sub entry objects. -- Simon (Vsevolod ILyushchenko) simonf at cshl.edu http://www.simonf.com "Think like a man of action, act like a man of thought." Henri Bergson
