Legatus wrote:
I did that. I know I have done that in the past. I see on one account the passwordExpWarned, I don't see passwordExpirationTime. We need to be able to give users warnings that the password will expire in N days. Am I looking in the wrong place, or is there a setting I haven't set? I set up a policy that is supposed to expire passwords, and warn users.One thing is that a user who has not had his/her password changed since password expiration was enabled will not have the passwordExpirationTime attribute in his/her entry, but you could add it manually.
Another thing - I'm not sure how it is possible that a user could have the passwordExpWarned but not the passwordExpirationTime attribute. Just looking at the code, everywhere it sets passwordExpWarned it also sets passwordExpirationTime.
I started with an existing database (Example.ldif)I then enabled password expiration - ldapsearch showed no passwordExpWarned nor passwordExpirationTime
Then, as directory manager, I used ldapmodify to modify a user's password - the search showed this: ldapsearch -D "cn=directory manager" ... "uid=scarter" passwordExpirationTime passwordExpWarned
# extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: uid=scarter # requesting: passwordExpirationTime passwordExpWarned # # scarter, People, example.com dn: uid=scarter, ou=People, dc=example,dc=com passwordExpirationTime: 20080615185146Z passwordExpWarned: 0
On Fri, Mar 7, 2008 at 11:17 AM, Rich Megginson <rmeggins@xxxxxxxxxx <mailto:rmeggins@xxxxxxxxxx>> wrote:Legatus wrote: > I have tried with this search, and also using the userid that I am > requesting the information from. So "uid=me,ou=people,dc=mydc" to get > info on "uid=me,ou=people,dc=mydc" > > ldapsearch -x -b 'ou=people,dc=mydc' -s sub -D 'cn=directory manager' > -w <password> "objectclass=*" attrs="passwordExpWarned > passwordExpirationTime" Don't use attrs="..." Just specify them on the command line - ... "objectclass=*" passwordExpWarned passwordExpirationTime If you want all regular attributes plus the additional operational attributes, use "*" e.g. ldapsearch .... "objectclass=*" \* passwordExpWarned passwordExpirationTime ldapsearch --help ... usage: ldapsearch [options] [filter [attributes...]] where: filter RFC-2254 compliant LDAP search filter attributes whitespace-separated list of attribute descriptions Note that openldap has a special attribute called "+" but this is not supported by Fedora DS. > > > On Fri, Mar 7, 2008 at 9:39 AM, Rich Megginson <rmeggins@xxxxxxxxxx <mailto:rmeggins@xxxxxxxxxx> > <mailto:rmeggins@xxxxxxxxxx <mailto:rmeggins@xxxxxxxxxx>>> wrote: > > Legatus wrote: > > I am new to the list, and I apologize if this question has been > > answered before. > > > > I haven't done much programming for LDAP, though I have been > managing > > directories for years. I am working with some developers, who a) > > aren't very imaginative, b) not very clever, and c) lazy. So I need > > to know how to get at the password information that says a password > > has expired, is about to expire, et. al. I have tried to query > for the > > attributes using ldapsearch that seem to be what I want, like > > passwordexpirationtime, but I get nothing back. > Can you post your exact ldapsearch command line? Note that > passwordexpirationtime and other password attributes in user > entries are > operational attributes - this means they are not retrieved by default > with an LDAP search but must be explicitly listed in the list of > attributes to retrieve. > > They all figure I should know the magic incantation, since I > know how > > to make the directory work, and usually that would be the case. This > > time I am stuck. Anyone solved this problem. I am running FDS 1.0.2, > > and 1.0.4. I get the same result in both. Any help would be great. > >> ------------------------------------------------------------------------> > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@xxxxxxxxxx <mailto:Fedora-directory-users@xxxxxxxxxx> > <mailto:Fedora-directory-users@xxxxxxxxxx <mailto:Fedora-directory-users@xxxxxxxxxx>> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@xxxxxxxxxx <mailto:Fedora-directory-users@xxxxxxxxxx> > <mailto:Fedora-directory-users@xxxxxxxxxx <mailto:Fedora-directory-users@xxxxxxxxxx>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@xxxxxxxxxx <mailto:Fedora-directory-users@xxxxxxxxxx> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx <mailto:Fedora-directory-users@xxxxxxxxxx> https://www.redhat.com/mailman/listinfo/fedora-directory-users ------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
