Re: [389-users] ldapsearch to get users with expired password

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Thanks for the answer, but my users don't have the attribute
passwordexpirationtime, because this attribute is not generated until
the user login after the activation of the account/password policies.

Reading, I have seen that when a user binds to the server, the server
returns some controls indicating the expiring/expired password, if in
case. But I can not bind with the user as I don't have it's password,
so I can not get the controls that would return a bind with its user.
Could I simulate this using a proxy auth, ie, binding as Directory
Manager, but simulating a login of the user? Would this need some
special ACI? I am a bit lost...

Thanks in advance.

2011/2/28 James Roman <james.roman@xxxxxxxxxx>:
> On 02/28/2011 07:08 AM, Juan Asensio SÃnchez wrote:
> Is there any way to obtain the users with expired/expiring password?
> Hi have activated the password policy, making the password expire
> after X days, and warn them after X-10 days. Now, I want to create a
> cron job to send an email to users warning them about its password
> expiration. I know I can get that information about the user is
> binding, but not for the users obtained from a search.
> Filters are your friend.
> To select passwords that have expired since midnight, you would use the
> following filter (using today's date Feb 28 2011):
> "(passwordexpirationtime<=20110228000000Z)"
> To select users with passwords expiring in the next 10 days (passwords
> expire between today at midnight AND Mar. 10 at midnight):
> "(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z))"
> You may need to add additional filter terms as well. The script that we use
> also filters out (excludes) inactive accounts (since we don't delete
> accounts from our directory.) Inactivated accounts in our directory all
> belong to a single group (and we have the group memberof plugin enabled):
> "(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(!
> (memberOf=cn=inactivated,cn=account
> inactivation,cn=accounts,dc=domain,dc=com))))"
> Depending on how your directory is designed, it might make more sense to
> eliminate users with the nsaccountlock attribute set to true:
> "(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(!
> (nsaccountlock=true))))"
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
389 users mailing list

[Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Home]     [Fedora Tools]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Red Hat 9 Bible]     [Red Hat 9]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

Add to Google