Re: [389-users] Determine when a password is about to expire

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




I can get the passwordexpirationtime value, but I'm unsure what you mean by "set the password expiration to occur immediately".  I'm coming from the Windows world, so I'm used to the "User must change password at next logon" checkbox.  I don't see that anywhere on the GUI, so I'm unclear how you set that.

Also, how do I manipulate the dates?  I get something similar to 20110122161029Z (for example) for passwordexpirationtime.  How do I convert that to a proper date format?  Also, I just changed my account's password while testing, and I see that passwordexpirationtime got reset to 19700101000000Z.  What does the 1970xxx value represent?

Thanks,
Harry

Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
Harry.Devine@xxxxxxx



From: James Roman <james.roman@xxxxxxxxxx>
To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx
Date: 01/21/2011 10:17 AM
Subject: Re: [389-users] Determine when a password is about to expire
Sent by: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx





Most LDAP servers use a different schema than the Microsoft version and work from the opposite direction. Try querying "passwordexpirationtime". You can do a search for the specific password schema with the following info: 2.16.840.1.113730.3.2.12  passwordObject

I think it is more common to:
1. administratively set the password on a user account
2. set the password expiration to occur immediately.
3. set the passwordGraceUserTime for a time period that allows the user to log in solely to change their password.

However, you must explicitly program your site to gracefully handle this situation (condition where passwordexpirationtime < now < passwordGraceUserTime) , since the user's LDAP authentication attempt against the directory will fail (with an error indicating the password has expired).

On 01/21/2011 09:45 AM,
harry.devine@xxxxxxx wrote:

I am in the process of creating a web-based mechanism to allow our users to change their password on our new 389-ds server.  I would like to display the date that their password is due to expire, and while Googling around, I see a lot of references to pwdLastSet, but about 95% of the articles are referring to Active Directory.  I don't see pwdLastSet amongst the attributes in my default 389-ds setup.  Is it there, or do I have to add that attribute to every account?


Also, I currently have my pages set up where, when the user logs in, it detects our 'default' password and forces them to change it.  Is there some attribute in their account that I can set that I can key off of and force them to change their password when they login to my site?


Thanks for any tips!

Harry


Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218

Harry.Devine@xxxxxxx


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux