Hi Mark, changing "nsslapd-pwpolicy-local" to "on" did the trick. Note to other people, who may be not aware - when changing this in /var/log/dirsrv/slapd-{instancename}/dse.ldif, you need to stop the dirsrv, change it to on (or off), and then start it. Editing the file while the service is running and then doing "service dirsrv restart" will cause the software to override your new flag to the previous version. Many thanks to all for your patience. On Fri, Nov 4, 2016 at 4:46 PM, Mark Reynolds <mareynol@xxxxxxxxxx> wrote: > > > On 11/04/2016 09:32 AM, Todor Petkov wrote: > > Hi, > > I just updated my password (from the linux shell, using password, if > this matters), > > > In the DS access log who is binding to change the password? Is it your user > entry binding and modifying the password or is it Directory Manager? > > Directory manager bypasses password policy, and passwordexpirationtime will > not be set. > > and it does not show in ldapsearch: > > ldapsearch -D "cn=directory manager" -W -b "dc=domain,dc=com" > uid=todor.petkov passwordexpirationtime > > > When I do ldapsearch for "cn=nsPwPolicyEntry" and > "cn=nsPwPolicyContainer" for my user, I see there is policy set.. > > Make sure you also have > > nsslapd-pwpolicy-local: on > > under the cn=config entry, otherwise the local policy will not work. > > More on this here: > > https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10.1/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Configuring_a_Local_Password_Policy > > > Regards, > Mark > > > > Back to playing with the GUI:) > > Thanks, > > > > On Fri, Nov 4, 2016 at 3:20 PM, Mark Reynolds <mareynol@xxxxxxxxxx> wrote: > > On 11/04/2016 03:31 AM, Todor Petkov wrote: > > Hello Mark, > > for some reason I do not see expiration date for my user. What I did: > via the 389 GUI I set password expiration for my user. I did not > change the current password though > > Do I need to change the password after or it should start the count to > the reset date automatically? > > Hi Todor, > > This is a common misunderstanding. Turning on password policy's > expiration time feature does not retroactively update user entries(how > would it know when the password was last changed?). It can only take > effect after changing a password. > > I know some admin's write scripts to expire everyone's passwords > (setting passwordexpirationtime to an expired value). This forces > everyone to change their passwords which then sets the correct > passwordexpirationtime based off of the password policy. > > Regards, > Mark > > Regards, > > > On Thu, Nov 3, 2016 at 2:21 PM, Mark Reynolds <mareynol@xxxxxxxxxx> wrote: > > Todor, > > All you need to do is request the passwordexpirationtime attribute from the > user entry: > > For example: > > # ldapsearch -D "cn=directory manager" -W -b "dc=domain,dc=com" uid=USERID > passwordexpirationtime > > Regards, > Mark > > On 11/03/2016 03:10 AM, Todor Petkov wrote: > > Hello, > > I am trying to get the user password expiration date, so I can write a > script to send warning email before this. I am running the following: > ldapsearch -v -LLLx -h localhost -b > 'cn="cn=nsPwPolicyEntry,uid=user,ou=People,dc=domain,dc=com",cn=nsPwPolicyContainer,ou=People,dc=domain,dc=com' > "(objectclass=ldapsubentry)" > > But I don't see such attribute in the results. Can you give me a hint > what's the ldap query? My versions are: > > 389-admin-console-1.1.8-1.el6.noarch > 389-ds-1.2.2-1.el6.noarch > 389-adminutil-1.1.19-1.el6.x86_64 > 389-ds-base-libs-1.2.11.15-75.el6_8.x86_64 > 389-ds-base-1.2.11.15-75.el6_8.x86_64 > 389-ds-console-1.2.6-1.el6.noarch > 389-admin-console-doc-1.1.8-1.el6.noarch > 389-admin-1.1.35-1.el6.x86_64 > 389-console-1.1.7-1.el6.noarch > 389-ds-console-doc-1.2.6-1. > el6.noarch > 389-dsgw-1.1.11-1.el6.x86_64 > > > Thanks in advance, > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > > > > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > > > > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx