On 03/16/2011 06:45 AM, Juan Asensio SÃnchez wrote: > Hi > > Thanks for the answer, but my users don't have the attribute > passwordexpirationtime, because this attribute is not generated until > the user login after the activation of the account/password policies. > > Reading, I have seen that when a user binds to the server, the server > returns some controls indicating the expiring/expired password, if in > case. But I can not bind with the user as I don't have it's password, > so I can not get the controls that would return a bind with its user. > Could I simulate this using a proxy auth, ie, binding as Directory > Manager, but simulating a login of the user? Would this need some > special ACI? I am a bit lost... I suppose you could use createTimestamp if passwordexpirationtime is not present. > Thanks in advance. > > 2011/2/28 James Roman<james.roman@xxxxxxxxxx>: >> On 02/28/2011 07:08 AM, Juan Asensio SÃnchez wrote: >> >> Is there any way to obtain the users with expired/expiring password? >> >> Hi have activated the password policy, making the password expire >> after X days, and warn them after X-10 days. Now, I want to create a >> cron job to send an email to users warning them about its password >> expiration. I know I can get that information about the user is >> binding, but not for the users obtained from a search. >> >> Filters are your friend. >> >> To select passwords that have expired since midnight, you would use the >> following filter (using today's date Feb 28 2011): >> "(passwordexpirationtime<=20110228000000Z)" >> >> To select users with passwords expiring in the next 10 days (passwords >> expire between today at midnight AND Mar. 10 at midnight): >> "(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z))" >> >> You may need to add additional filter terms as well. The script that we use >> also filters out (excludes) inactive accounts (since we don't delete >> accounts from our directory.) Inactivated accounts in our directory all >> belong to a single group (and we have the group memberof plugin enabled): >> "(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(! >> (memberOf=cn=inactivated,cn=account >> inactivation,cn=accounts,dc=domain,dc=com))))" >> >> Depending on how your directory is designed, it might make more sense to >> eliminate users with the nsaccountlock attribute set to true: >> "(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(! >> (nsaccountlock=true))))" >> >> -- >> 389 users mailing list >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/389-users >> > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
