[Fedora-directory-users] How to ldapsearch password expiration data?
Vsevolod (Simon) Ilyushchenko
simonf at cshl.edu
Thu Nov 10 17:05:29 UTC 2005
Rich,
Thanks - I can see them now.
However, now I have questions about the semantics of password
expiration. The NIS+ tables store the account (not password) expiration
date as the absolute day number (from year 0). I'm trying to replicate
these data in FDS.
1. First of all, I'm not sure that the password expiration feature does
the same thing. When the password expires, will the user be prompted to
change it or will he be locked out?
2. Second, I can't even test it, because I can't seem to force an
expiration. The passwordMaxAge attribute is the number of days after
which the password will expire. Well, it's the number of days *since
when*? Since today? How is it updated then as the time goes by? Or since
the first logon? Where is it stored then?
I am truly missing something. The admin guide does not make it clear.
Thanks,
Simon
Richard Megginson wrote on 11/09/2005 06:18 PM:
> Those attributes are operational, so you must explicitly ask for them on
> the ldapsearch command line e.g.
> ldapsearch -b
> 'cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu'
> passwordMaxAge passwordWarning passwordMinAge passwordExp
> passwordGraceLimit
>
> In addition, ldapsubentry objects are hidden from normal searches. You
> must explicitly request objects of this type by adding the
> (objectclass=ldapsubentry) to your search filter e.g.
> '(|(objectclass=*)(objectclass=ldapsubentry))'
> to get all regular entries and sub entries, or just
> '(objectclass=ldapsubentry)'
> to get only the sub entry objects.
--
Simon (Vsevolod ILyushchenko) simonf at cshl.edu
http://www.simonf.com
"Think like a man of action, act like a man of thought."
Henri Bergson
More information about the Fedora-directory-users
mailing list