[Fedora-directory-users] How to ldapsearch password expiration data?
Richard Megginson
rmeggins at redhat.com
Fri Nov 11 03:57:05 UTC 2005
Vsevolod (Simon) Ilyushchenko wrote:
> Rich,
>
> Thanks - I can see them now.
>
> However, now I have questions about the semantics of password
> expiration. The NIS+ tables store the account (not password)
> expiration date as the absolute day number (from year 0). I'm trying
> to replicate these data in FDS.
>
> 1. First of all, I'm not sure that the password expiration feature
> does the same thing. When the password expires, will the user be
> prompted to change it or will he be locked out?
It really depends on the application. I think FDS will send back some
response controls related to password expiration. FDS also allows a
configurable number of "grace logins" to allow the user to login
specifically for the purpose of changing the password.
>
> 2. Second, I can't even test it, because I can't seem to force an
> expiration. The passwordMaxAge attribute is the number of days after
> which the password will expire. Well, it's the number of days *since
> when*? Since today? How is it updated then as the time goes by? Or
> since the first logon? Where is it stored then?
I think the console uses a minimum of 1 day, but in LDAP you can go down
to the second, so that might make it easier to test. passwordMaxAge is
the age since the password was created or last modified.
>
> I am truly missing something. The admin guide does not make it clear.
>
> Thanks,
> Simon
>
> Richard Megginson wrote on 11/09/2005 06:18 PM:
>
>> Those attributes are operational, so you must explicitly ask for them
>> on the ldapsearch command line e.g.
>> ldapsearch -b
>> 'cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu'
>> passwordMaxAge passwordWarning passwordMinAge passwordExp
>> passwordGraceLimit
>>
>> In addition, ldapsubentry objects are hidden from normal searches.
>> You must explicitly request objects of this type by adding the
>> (objectclass=ldapsubentry) to your search filter e.g.
>> '(|(objectclass=*)(objectclass=ldapsubentry))'
>> to get all regular entries and sub entries, or just
>> '(objectclass=ldapsubentry)'
>> to get only the sub entry objects.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20051110/f49a4d62/attachment.bin>
More information about the Fedora-directory-users
mailing list