I'm also working on it right now and using perl to do that, so I used filter (objectclass=ntUser) and requesting the passwordExpirationTime attribute like this:
filter => "objectclass=ntUser",
attrs => ["entrydn","mail","passwordExpirationTime"],
);
In my case, I prefer rather than write attributes to a file.
hope that helps in your case.
On Thu, Nov 3, 2016 at 6:44 AM, Predrag Zečević - Technical Support Analyst <predrag.zecevic@xxxxxxxxxxxxxx> wrote:
Hi,On 11/ 3/16 08:10 AM, Todor Petkov wrote:
Hello,
I am trying to get the user password expiration date, so I can write a
script to send warning email before this. I am running the following:
ldapsearch -v -LLLx -h localhost -b
'cn="cn=nsPwPolicyEntry,uid=user,ou=People,dc=domain,dc=com" ,cn=nsPwPolicyContainer,ou= People,dc=domain,dc=com'
"(objectclass=ldapsubentry)"
But I don't see such attribute in the results. Can you give me a hint
what's the ldap query? My versions are:
389-admin-console-1.1.8-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-adminutil-1.1.19-1.el6.x86_64
389-ds-base-libs-1.2.11.15-75.el6_8.x86_64
389-ds-base-1.2.11.15-75.el6_8.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-admin-console-doc-1.1.8-1.el6.noarch
389-admin-1.1.35-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64
Thanks in advance,
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
we are using something like:
$ ldapsearch -xLLL -D "cn=Directory Manager" -W -b "cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com" "(&(objectClass=ldapsubentry)( objectClass=passwordPolicy)(cn =${givenName} ${sn}))"
to get password policy setup for user "cn=${givenName} ${sn}" and check for values:
passwordInHistory: 5
passwordMinAge: 600
passwordChange: on
passwordUnlock: on
passwordLockoutDuration: 1800
passwordResetFailureCount: 600
passwordLockout: on
passwordMaxFailure: 10
passwordMaxRepeats: 0
passwordStorageScheme: ssha
passwordMaxAge: 7776000
passwordExp: on
passwordGraceLimit: 6
passwordMin8bit: 0
passwordMinAlphas: 0
passwordMinSpecials: 1
passwordMinDigits: 1
passwordMinLowers: 1
passwordMinUppers: 1
passwordMinTokenLength: 5
passwordMinCategories: 4
passwordMinLength: 8
passwordCheckSyntax: on
passwordMustChange: off
Password data is retrieved from LDAP backup ldif, created with command:
$ /usr/lib${ARCH}/dirsrv/slapd-${PADL}/db2ldif.pl -U -N -u -C -D 'cn=Directory Manager' -w - -n userRoot -a /tmp/LDAP_dump.ldif
e.g. searching for password data for "cn=${givenName} ${sn}" in output file /tmp/LDAP_dump.ldif
passwordExpWarned: 0
passwordExpirationTime: 20161214070525Z
passwordGraceUserTime: 0
passwordAllowChangeTime: 20160915071525Z
passwordHistory: 20160915070525Z{SSHA}HASH
passwordHistory: 20150927121604Z{SSHA}HASH
passwordHistory: 20151228130437Z{SSHA}HASH
passwordHistory: 20160324145753Z{SSHA}HASH
passwordHistory: 20160621103821Z{SSHA}HASH
Script parses output for user; determines e-mail address and if reminder has to be sent... (maybe there is better way to get that data, but this one works).
HTH
With best regards.
Predrag Zečević
--
Predrag Zečević
Technical Support Analyst
2e Systems GmbH
Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894
Mobile: +49 174 3109 288, Skype: predrag.zecevic
E-mail: predrag.zecevic@xxxxxxxxxxxxxx
Headquarter: 2e Systems GmbH, Königsteiner Str. 87,
65812 Bad Soden am Taunus, Germany
Company registration: Amtsgericht Königstein (Germany), HRB 7303
Managing director: Phil Douglas
http://www.2e-systems.com/ - Making your business fly!
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
