Hi Thanks for the answer, but my users don't have the attribute passwordexpirationtime, because this attribute is not generated until the user login after the activation of the account/password policies. Reading, I have seen that when a user binds to the server, the server returns some controls indicating the expiring/expired password, if in case. But I can not bind with the user as I don't have it's password, so I can not get the controls that would return a bind with its user. Could I simulate this using a proxy auth, ie, binding as Directory Manager, but simulating a login of the user? Would this need some special ACI? I am a bit lost... Thanks in advance. 2011/2/28 James Roman <james.roman@xxxxxxxxxx>: > On 02/28/2011 07:08 AM, Juan Asensio SÃnchez wrote: > > Is there any way to obtain the users with expired/expiring password? > > Hi have activated the password policy, making the password expire > after X days, and warn them after X-10 days. Now, I want to create a > cron job to send an email to users warning them about its password > expiration. I know I can get that information about the user is > binding, but not for the users obtained from a search. > > Filters are your friend. > > To select passwords that have expired since midnight, you would use the > following filter (using today's date Feb 28 2011): > "(passwordexpirationtime<=20110228000000Z)" > > To select users with passwords expiring in the next 10 days (passwords > expire between today at midnight AND Mar. 10 at midnight): > "(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z))" > > You may need to add additional filter terms as well. The script that we use > also filters out (excludes) inactive accounts (since we don't delete > accounts from our directory.) Inactivated accounts in our directory all > belong to a single group (and we have the group memberof plugin enabled): > "(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(! > (memberOf=cn=inactivated,cn=account > inactivation,cn=accounts,dc=domain,dc=com))))" > > Depending on how your directory is designed, it might make more sense to > eliminate users with the nsaccountlock attribute set to true: > "(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(! > (nsaccountlock=true))))" > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
