FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 09-24-2010, 04:51 PM
Aaron Hagopian
 
Default how to get password expiration warnings and password policy

This only tells you if their password has expired but you will not know if there are grace logins and this also doesn't tell you give you password warnings without trying to lookup the policy. ┬*You can get all of the password information using ldap extended operations (part of LDAP v3 I think).


I am using this with great success in java but not sure how much is implemented in PHP. ┬*Maybe someone on this list or a php list may know better.



2010/9/24 Morris, Patrick <patrick.morris@hp.com>

┬*On 9/23/2010 8:13 PM, Ondrej Ivani─Ź wrote:

> Hi,

>

> Is there any way how to query user's password policy related

> attributes? I'm interested in password expiration date in order to

> show warning message.



Just look for "passwordExpirationTime" on the account entry. ┬*You'll

need to ask for it specifically.

--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-24-2010, 05:39 PM
"Morris, Patrick"
 
Default how to get password expiration warnings and password policy

It's not true that this only tells you if it has expired.┬* It tells
you *when* it will expire if it's going to, which is what Ondrej
said he was looking for.┬* If you want to know, for example, if
someone's password will expire within a week, that field will tell
you.



On 9/24/2010 9:51 AM, Aaron Hagopian wrote:
This only tells you if their password has expired but
you will not know if there are grace logins and this also doesn't
tell you give you password warnings without trying to lookup the
policy. ┬*You can get all of the password information using ldap
extended operations (part of LDAP v3 I think).




I am using this with great success in java but not sure how
much is implemented in PHP. ┬*Maybe someone on this list or a php
list may know better.








2010/9/24 Morris, Patrick <patrick.morris@hp.com>


┬*On 9/23/2010 8:13 PM, Ondrej Ivani─Ź wrote:

> Hi,

>

> Is there any way how to query user's password policy
related

> attributes? I'm interested in password expiration
date in order to

> show warning message.




Just look for "passwordExpirationTime" on the account entry.
┬*You'll

need to ask for it specifically.


--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users













--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-27-2010, 01:56 PM
Aaron Hagopian
 
Default how to get password expiration warnings and password policy

What I meant is all you know is the expiration date. ┬*You will not know any of the expiration information on top of that like when to start warning, if they have already been warned or if they have used grace logins. ┬*The reason these LDAP v3 requests exist is to be able to get extra information just like this.



2010/9/24 Morris, Patrick <patrick.morris@hp.com>








It's not true that this only tells you if it has expired.┬* It tells
you *when* it will expire if it's going to, which is what Ondrej
said he was looking for.┬* If you want to know, for example, if
someone's password will expire within a week, that field will tell
you.



On 9/24/2010 9:51 AM, Aaron Hagopian wrote:
This only tells you if their password has expired but
you will not know if there are grace logins and this also doesn't
tell you give you password warnings without trying to lookup the
policy. ┬*You can get all of the password information using ldap
extended operations (part of LDAP v3 I think).




I am using this with great success in java but not sure how
much is implemented in PHP. ┬*Maybe someone on this list or a php
list may know better.








2010/9/24 Morris, Patrick <patrick.morris@hp.com>


┬*On 9/23/2010 8:13 PM, Ondrej Ivani─Ź wrote:

> Hi,

>

> Is there any way how to query user's password policy
related

> attributes? I'm interested in password expiration
date in order to

> show warning message.




Just look for "passwordExpirationTime" on the account entry.
┬*You'll

need to ask for it specifically.


--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users














--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-27-2010, 10:11 PM
Ondrej Ivani─Ź
 
Default how to get password expiration warnings and password policy

Hi,

I realised that I queried wrong DN and correct one is:
cn=nsPwPolicyEntry not cn=nsPwTemplateEntry:
dn: cn="cn=nsPwPolicyEntry,dc=example",cn=nsPwPolicyCo ntainer,dc=example
passwordMustChange: off
passwordExp: off
passwordMinAge: 0
passwordChange: off
passwordStorageScheme: ssha
passwordLockout: on
passwordLockoutDuration: 1800
passwordResetFailureCount: 1800
passwordUnlock: on
passwordMaxFailure: 6
passwordCheckSyntax: on
passwordMinLength: 10
passwordMinDigits: 3

It seems that password policy for sub tree doesn't work correctly -- I
used console (centos 8.1 directory server) to set it but if I set
password policy for server then it works correctly. Is this a known
bug?

When I activated password lockout for whole server I was able to query
user DN and get all password policy related attributes. Moreover login
failed when I reach number of failed logins specified by password
policy. This didn't happend for password policy activated for sub
tree. (via console).

I will try to set password policy using ldif files and post my finding here.

2010/9/24 Ondrej Ivani─Ź <ondrej.ivanic@gmail.com>:
> When I set password policy for server I can query cn=config and get
> password policy definition. When I set password policy for subtree I
> can't find any password policy related attributes.
>
> I tried to search using baseDN which is in 'pwdpolicysubentry' (
> 'cn="cn=nsPwTemplateEntry,dc=example",cn=nsPwPolic yContainer,dc=example'
> ) but nothing is there:
> dn: cn="cn=nsPwTemplateEntry,dc=example",cn=nsPwPolicy Container,dc=ex
> ┬*ample
> objectClass: extensibleObject
> objectClass: costemplate
> objectClass: ldapsubentry
> objectClass: top
> cosPriority: 1
> cn: "cn=nsPwTemplateEntry,dc=example"

Thanks,
--
Ondrej Ivanic
(ondrej.ivanic@gmail.com)
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 05:05 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ę2007 - 2008, www.linux-archive.org