Legatus wrote: > I did that. I know I have done that in the past. I see on one account > the passwordExpWarned, I don't see passwordExpirationTime. We need to > be able to give users warnings that the password will expire in N > days. Am I looking in the wrong place, or is there a setting I > haven't set? I set up a policy that is supposed to expire passwords, > and warn users. One thing is that a user who has not had his/her password changed since password expiration was enabled will not have the passwordExpirationTime attribute in his/her entry, but you could add it manually. Another thing - I'm not sure how it is possible that a user could have the passwordExpWarned but not the passwordExpirationTime attribute. Just looking at the code, everywhere it sets passwordExpWarned it also sets passwordExpirationTime. I started with an existing database (Example.ldif) I then enabled password expiration - ldapsearch showed no passwordExpWarned nor passwordExpirationTime Then, as directory manager, I used ldapmodify to modify a user's password - the search showed this: ldapsearch -D "cn=directory manager" ... "uid=scarter" passwordExpirationTime passwordExpWarned # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: uid=scarter # requesting: passwordExpirationTime passwordExpWarned # # scarter, People, example.com dn: uid=scarter, ou=People, dc=example,dc=com passwordExpirationTime: 20080615185146Z passwordExpWarned: 0 > > On Fri, Mar 7, 2008 at 11:17 AM, Rich Megginson <rmeggins at redhat.com > <mailto:rmeggins at redhat.com>> wrote: > > Legatus wrote: > > I have tried with this search, and also using the userid that I am > > requesting the information from. So "uid=me,ou=people,dc=mydc" > to get > > info on "uid=me,ou=people,dc=mydc" > > > > ldapsearch -x -b 'ou=people,dc=mydc' -s sub -D 'cn=directory > manager' > > -w <password> "objectclass=*" attrs="passwordExpWarned > > passwordExpirationTime" > Don't use attrs="..." Just specify them on the command line - ... > "objectclass=*" passwordExpWarned passwordExpirationTime > If you want all regular attributes plus the additional operational > attributes, use "*" e.g. > ldapsearch .... "objectclass=*" \* passwordExpWarned > passwordExpirationTime > ldapsearch --help > ... > usage: ldapsearch [options] [filter [attributes...]] > where: > filter RFC-2254 compliant LDAP search filter > attributes whitespace-separated list of attribute descriptions > > Note that openldap has a special attribute called "+" but this is not > supported by Fedora DS. > > > > > > On Fri, Mar 7, 2008 at 9:39 AM, Rich Megginson > <rmeggins at redhat.com <mailto:rmeggins at redhat.com> > > <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>> wrote: > > > > Legatus wrote: > > > I am new to the list, and I apologize if this question has > been > > > answered before. > > > > > > I haven't done much programming for LDAP, though I have been > > managing > > > directories for years. I am working with some developers, > who a) > > > aren't very imaginative, b) not very clever, and c) lazy. > So I need > > > to know how to get at the password information that says a > password > > > has expired, is about to expire, et. al. I have tried to query > > for the > > > attributes using ldapsearch that seem to be what I want, like > > > passwordexpirationtime, but I get nothing back. > > Can you post your exact ldapsearch command line? Note that > > passwordexpirationtime and other password attributes in user > > entries are > > operational attributes - this means they are not retrieved > by default > > with an LDAP search but must be explicitly listed in the list of > > attributes to retrieve. > > > They all figure I should know the magic incantation, since I > > know how > > > to make the directory work, and usually that would be the > case. This > > > time I am stuck. Anyone solved this problem. I am running > FDS 1.0.2, > > > and 1.0.4. I get the same result in both. Any help would > be great. > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com> > > <mailto:Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com>> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com> > > <mailto:Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com>> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > <mailto:Fedora-directory-users at redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20080307/a09e3255/attachment.bin
