Re: Get user password expiration date

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/04/2016 09:32 AM, Todor Petkov wrote:
Hi,

I just updated my password (from the linux shell, using password, if
this matters),

In the DS access log who is binding to change the password?  Is it your user entry binding and modifying the password or is it Directory Manager? 

Directory manager bypasses password policy, and passwordexpirationtime will not be set.
and it does not show in ldapsearch:

ldapsearch -D "cn=directory manager" -W -b "dc=domain,dc=com"
uid=todor.petkov passwordexpirationtime


When I do ldapsearch for "cn=nsPwPolicyEntry"  and
"cn=nsPwPolicyContainer" for my user, I see there is policy set..
Make sure you also have 
nsslapd-pwpolicy-local: on
under the cn=config entry, otherwise the local policy will not work.

More on this here:

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10.1/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Configuring_a_Local_Password_Policy


Regards,
Mark


Back to playing with the GUI:)

Thanks,



On Fri, Nov 4, 2016 at 3:20 PM, Mark Reynolds <mareynol@xxxxxxxxxx> wrote:


On 11/04/2016 03:31 AM, Todor Petkov wrote:

Hello Mark,

for some reason I do not see expiration date for my user. What I did:
via the 389 GUI I set password expiration for my user. I did not
change the current password though

Do I need to change the password after or it should start the count to
the reset date automatically?

Hi Todor,

This is a common misunderstanding.  Turning on password policy's
expiration time feature does not retroactively update user entries(how
would it know when the password was last changed?).  It can only take
effect after changing a password.

I know some admin's write scripts to expire everyone's passwords
(setting passwordexpirationtime to an expired value).  This forces
everyone to change their passwords which then sets the correct
passwordexpirationtime based off of the password policy.

Regards,
Mark

Regards,


On Thu, Nov 3, 2016 at 2:21 PM, Mark Reynolds <mareynol@xxxxxxxxxx> wrote:

Todor,

All you need to do is request the passwordexpirationtime attribute from the
user entry:

For example:

# ldapsearch -D "cn=directory manager" -W -b "dc=domain,dc=com" uid=USERID
passwordexpirationtime

Regards,
Mark

On 11/03/2016 03:10 AM, Todor Petkov wrote:

Hello,

I am trying to get the user password expiration date, so I can write a
script to send warning email before this. I am running the following:
ldapsearch -v -LLLx -h localhost -b
'cn="cn=nsPwPolicyEntry,uid=user,ou=People,dc=domain,dc=com",cn=nsPwPolicyContainer,ou=People,dc=domain,dc=com'
"(objectclass=ldapsubentry)"

But I don't see such attribute in the results. Can you give me a hint
what's the ldap query? My versions are:

389-admin-console-1.1.8-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-adminutil-1.1.19-1.el6.x86_64
389-ds-base-libs-1.2.11.15-75.el6_8.x86_64
389-ds-base-1.2.11.15-75.el6_8.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-admin-console-doc-1.1.8-1.el6.noarch
389-admin-1.1.35-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-ds-console-doc-1.2.6-1.
el6.noarch
389-dsgw-1.1.11-1.el6.x86_64


Thanks in advance,
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx



_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx


_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx


_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux