How to ldapsearch password expiration data?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Vsevolod (Simon) Ilyushchenko wrote:

> Rich,
>
> Thanks - I can see them now.
>
> However, now I have questions about the semantics of password 
> expiration. The NIS+ tables store the account (not password) 
> expiration date as the absolute day number (from year 0). I'm trying 
> to replicate these data in FDS.
>
> 1. First of all, I'm not sure that the password expiration feature 
> does the same thing. When the password expires, will the user be 
> prompted to change it or will he be locked out?

It really depends on the application.  I think FDS will send back some 
response controls related to password expiration.  FDS also allows a 
configurable number of "grace logins" to allow the user to login 
specifically for the purpose of changing the password.

>
> 2. Second, I can't even test it, because I can't seem to force an 
> expiration. The passwordMaxAge attribute is the number of days after 
> which the password will expire. Well, it's the number of days *since 
> when*? Since today? How is it updated then as the time goes by? Or 
> since the first logon? Where is it stored then?

I think the console uses a minimum of 1 day, but in LDAP you can go down 
to the second, so that might make it easier to test.  passwordMaxAge is 
the age since the password was created or last modified.

>
> I am truly missing something. The admin guide does not make it clear.
>
> Thanks,
> Simon
>
> Richard Megginson wrote on 11/09/2005 06:18 PM:
>
>> Those attributes are operational, so you must explicitly ask for them 
>> on the ldapsearch command line e.g.
>> ldapsearch -b 
>> 'cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu' 
>> passwordMaxAge passwordWarning passwordMinAge passwordExp 
>> passwordGraceLimit
>>
>> In addition, ldapsubentry objects are hidden from normal searches.  
>> You must explicitly request objects of this type by adding the 
>> (objectclass=ldapsubentry) to your search filter e.g.
>> '(|(objectclass=*)(objectclass=ldapsubentry))'
>> to get all regular entries and sub entries, or just
>> '(objectclass=ldapsubentry)'
>> to get only the sub entry objects.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20051110/f49a4d62/attachment.bin
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux