FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 01-21-2011, 01:45 PM
 
Default Determine when a password is about to expire

I am in the process of creating a web-based
mechanism to allow our users to change their password on our new 389-ds
server. *I would like to display the date that their password is due
to expire, and while Googling around, I see a lot of references to pwdLastSet,
but about 95% of the articles are referring to Active Directory. *I
don't see pwdLastSet amongst the attributes in my default 389-ds setup.
*Is it there, or do I have to add that attribute to every account?



Also, I currently have my pages set
up where, when the user logs in, it detects our 'default' password and
forces them to change it. *Is there some attribute in their account
that I can set that I can key off of and force them to change their password
when they login to my site?



Thanks for any tips!

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-21-2011, 02:16 PM
James Roman
 
Default Determine when a password is about to expire

Most LDAP servers use a different schema than the Microsoft version
and work from the opposite direction. Try querying
"passwordexpirationtime". You can do a search for the specific
password schema with the following info: 2.16.840.1.113730.3.2.12*
passwordObject



I think it is more common to:

1. administratively set the password on a user account

2. set the password expiration to occur immediately.

3. set the passwordGraceUserTime for a time period that allows the
user to log in solely to change their password.



However, you must explicitly program your site to gracefully handle
this situation (condition where passwordexpirationtime < now <
passwordGraceUserTime) , since the user's LDAP authentication
attempt against the directory will fail (with an error indicating
the password has expired).



On 01/21/2011 09:45 AM, harry.devine@faa.gov wrote:



I am in the process of creating a
web-based
mechanism to allow our users to change their password on our new
389-ds
server. *I would like to display the date that their password is
due
to expire, and while Googling around, I see a lot of references
to pwdLastSet,
but about 95% of the articles are referring to Active Directory.
*I
don't see pwdLastSet amongst the attributes in my default 389-ds
setup.
*Is it there, or do I have to add that attribute to every
account?




Also, I currently have my pages
set
up where, when the user logs in, it detects our 'default'
password and
forces them to change it. *Is there some attribute in their
account
that I can set that I can key off of and force them to change
their password
when they login to my site?




Thanks for any tips!


Harry




Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-21-2011, 03:11 PM
 
Default Determine when a password is about to expire

I can get the passwordexpirationtime
value, but I'm unsure what you mean by "set the password expiration
to occur immediately". *I'm coming from the Windows world, so
I'm used to the "User must change password at next logon" checkbox.
*I don't see that anywhere on the GUI, so I'm unclear how you set
that.



Also, how do I manipulate the dates?
*I get something similar to 20110122161029Z (for example) for passwordexpirationtime.
*How do I convert that to a proper date format? *Also, I just
changed my account's password while testing, and I see that passwordexpirationtime
got reset to 19700101000000Z. *What does the 1970xxx value represent?



Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov








From:
James Roman <james.roman@ssaihq.com>



To:
389-users@lists.fedoraproject.org

Date:
01/21/2011 10:17 AM

Subject:
Re: [389-users] Determine when a password
is about to expire

Sent by:
389-users-bounces@lists.fedoraproject.org








Most LDAP servers use a different schema than the Microsoft
version and work from the opposite direction. Try querying "passwordexpirationtime".
You can do a search for the specific password schema with the following
info: 2.16.840.1.113730.3.2.12 *passwordObject



I think it is more common to:

1. administratively set the password on a user account

2. set the password expiration to occur immediately.

3. set the passwordGraceUserTime for a time period that allows the user
to log in solely to change their password.



However, you must explicitly program your site to gracefully handle this
situation (condition where passwordexpirationtime < now < passwordGraceUserTime)
, since the user's LDAP authentication attempt against the directory will
fail (with an error indicating the password has expired).



On 01/21/2011 09:45 AM, harry.devine@faa.gov
wrote:



I am in the process of creating a web-based mechanism to allow our users
to change their password on our new 389-ds server. *I would like to
display the date that their password is due to expire, and while Googling
around, I see a lot of references to pwdLastSet, but about 95% of the articles
are referring to Active Directory. *I don't see pwdLastSet amongst
the attributes in my default 389-ds setup. *Is it there, or do I have
to add that attribute to every account?



Also, I currently have my pages set up where, when the user logs in, it
detects our 'default' password and forces them to change it. *Is there
some attribute in their account that I can set that I can key off of and
force them to change their password when they login to my site?




Thanks for any tips!

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov






--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users

--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-21-2011, 05:13 PM
Noriko Hosoi
 
Default Determine when a password is about to expire

harry.devine@faa.gov wrote:



I can get the
passwordexpirationtime
value, but I'm unsure what you mean by "set the password
expiration
to occur immediately". *I'm coming from the Windows world, so
I'm used to the "User must change password at next logon"
checkbox.
*I don't see that anywhere on the GUI, so I'm unclear how you
set
that.



Could this help ...?




http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Managing_the_Password _Policy-Configuring_the_Password_Policy

Set the password policies for how users can change their own
passwords.





To require users to change their password the
first time they log on, select the User
must change password after reset checkbox.



NOTE


If users are required to reset their
password, only the Directory Manager is authorized to
reset the user's password. A regular administrative user
cannot force the users to update their password.






http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Configuring_a_Global_ Password_Policy_Using_the_Command_Line-Password_Policy_Attributes



passwordMustChange When on,
this attribute requires users to change their passwords when they
first login to the directory or after the password is reset by the
Directory Manager. The user is required to change their password
even if user-defined passwords are disabled. If this attribute is
set to off, passwords assigned by the
Directory Manager should not follow any obvious convention and
should be difficult to discover. This attribute is off by default.



Also, how do I manipulate the
dates?
*I get something similar to 20110122161029Z (for example) for
passwordexpirationtime.
*How do I convert that to a proper date format? *Also, I just
changed my account's password while testing, and I see that
passwordexpirationtime
got reset to 19700101000000Z. *What does the 1970xxx value
represent?




Thanks,


Harry




Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov









From:

James Roman
<james.roman@ssaihq.com>





To:

389-users@lists.fedoraproject.org



Date:

01/21/2011 10:17 AM



Subject:

Re: [389-users]
Determine when a password
is about to expire



Sent
by:

389-users-bounces@lists.fedoraproject.org












Most LDAP servers use a different schema than the
Microsoft
version and work from the opposite direction. Try querying
"passwordexpirationtime".
You can do a search for the specific password schema with the
following
info: 2.16.840.1.113730.3.2.12 *passwordObject



I think it is more common to:

1. administratively set the password on a user account

2. set the password expiration to occur immediately.

3. set the passwordGraceUserTime for a time period that allows
the user
to log in solely to change their password.



However, you must explicitly program your site to gracefully
handle this
situation (condition where passwordexpirationtime < now <
passwordGraceUserTime)
, since the user's LDAP authentication attempt against the
directory will
fail (with an error indicating the password has expired).



On 01/21/2011 09:45 AM, harry.devine@faa.gov
wrote:




I am in the process of creating a web-based mechanism to allow
our users
to change their password on our new 389-ds server. *I would like
to
display the date that their password is due to expire, and while
Googling
around, I see a lot of references to pwdLastSet, but about 95%
of the articles
are referring to Active Directory. *I don't see pwdLastSet
amongst
the attributes in my default 389-ds setup. *Is it there, or do I
have
to add that attribute to every account?



Also, I currently have my pages set up where, when the user logs
in, it
detects our 'default' password and forces them to change it. *Is
there
some attribute in their account that I can set that I can key
off of and
force them to change their password when they login to my site?




Thanks for any tips!

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov







--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-21-2011, 06:20 PM
Aaron Hagopian
 
Default Determine when a password is about to expire

Harry,
This is the pattern I use to parse the date in java: "yyyyMMddHHmmss'Z'". �You can probably deduce what the values represent by looking at the pattern.��Also the times are stored in UTC so you'll probably want to convert that to the local timezone if you're going to display the date/time to the user. �


Aaron
2011/1/21 <harry.devine@faa.gov>




I can get the passwordexpirationtime
value, but I'm unsure what you mean by "set the password expiration
to occur immediately". �I'm coming from the Windows world, so
I'm used to the "User must change password at next logon" checkbox.
�I don't see that anywhere on the GUI, so I'm unclear how you set
that.



Also, how do I manipulate the dates?
�I get something similar to 20110122161029Z (for example) for passwordexpirationtime.
�How do I convert that to a proper date format? �Also, I just
changed my account's password while testing, and I see that passwordexpirationtime
got reset to 19700101000000Z. �What does the 1970xxx value represent?



Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov








From:
James Roman <james.roman@ssaihq.com>



To:
389-users@lists.fedoraproject.org

Date:
01/21/2011 10:17 AM

Subject:
Re: [389-users] Determine when a password
is about to expire

Sent by:
389-users-bounces@lists.fedoraproject.org








Most LDAP servers use a different schema than the Microsoft
version and work from the opposite direction. Try querying "passwordexpirationtime".
You can do a search for the specific password schema with the following
info: 2.16.840.1.113730.3.2.12 �passwordObject



I think it is more common to:

1. administratively set the password on a user account

2. set the password expiration to occur immediately.

3. set the passwordGraceUserTime for a time period that allows the user
to log in solely to change their password.



However, you must explicitly program your site to gracefully handle this
situation (condition where passwordexpirationtime < now < passwordGraceUserTime)
, since the user's LDAP authentication attempt against the directory will
fail (with an error indicating the password has expired).



On 01/21/2011 09:45 AM, harry.devine@faa.gov
wrote:



I am in the process of creating a web-based mechanism to allow our users
to change their password on our new 389-ds server. �I would like to
display the date that their password is due to expire, and while Googling
around, I see a lot of references to pwdLastSet, but about 95% of the articles
are referring to Active Directory. �I don't see pwdLastSet amongst
the attributes in my default 389-ds setup. �Is it there, or do I have
to add that attribute to every account?



Also, I currently have my pages set up where, when the user logs in, it
detects our 'default' password and forces them to change it. �Is there
some attribute in their account that I can set that I can key off of and
force them to change their password when they login to my site?




Thanks for any tips!

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov






--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users

--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users




--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-21-2011, 07:17 PM
Rich Megginson
 
Default Determine when a password is about to expire

On 01/21/2011 12:20 PM, Aaron Hagopian wrote:
Harry,



This is the pattern I use to parse the date in java:
"yyyyMMddHHmmss'Z'". *You can probably deduce what the values
represent by looking at the pattern.**Also the times are stored
in UTC so you'll probably want to convert that to the local
timezone if you're going to display the date/time to the user. *




Aaron


2011/1/21 <harry.devine@faa.gov>




I can get the
passwordexpirationtime
value, but I'm unsure what you mean by "set the password
expiration
to occur immediately". *I'm coming from the Windows world,
so
I'm used to the "User must change password at next logon"
checkbox.
*I don't see that anywhere on the GUI, so I'm unclear how
you set
that.




Also, how do I manipulate
the dates?
*I get something similar to 20110122161029Z (for example)
for passwordexpirationtime.
*How do I convert that to a proper date format?



What programming language are you using?

http://en.wikipedia.org/wiki/ISO_8601 - the format is used with no
separators (e.g. 20110122 instead of 2011-01-22) and no "T" between
the date and the time.




Also, I
just
changed my account's password while testing, and I see
that passwordexpirationtime
got reset to 19700101000000Z. *What does the 1970xxx value
represent?






That is a special value meaning the password needs to be changed.







Thanks,


Harry




Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov










From:

James Roman <james.roman@ssaihq.com>





To:


389-users@lists.fedoraproject.org




Date:

01/21/2011 10:17
AM



Subject:

Re: [389-users]
Determine when a password
is about to expire



Sent
by:

389-users-bounces@lists.fedoraproject.org














Most LDAP servers use a different schema
than the Microsoft
version and work from the opposite direction. Try
querying "passwordexpirationtime".
You can do a search for the specific password schema
with the following
info: 2.16.840.1.113730.3.2.12 *passwordObject



I think it is more common to:

1. administratively set the password on a user account

2. set the password expiration to occur immediately.

3. set the passwordGraceUserTime for a time period
that allows the user
to log in solely to change their password.



However, you must explicitly program your site to
gracefully handle this
situation (condition where passwordexpirationtime <
now < passwordGraceUserTime)
, since the user's LDAP authentication attempt against
the directory will
fail (with an error indicating the password has
expired).



On 01/21/2011 09:45 AM, harry.devine@faa.gov
wrote:




I am in the process of creating a web-based mechanism
to allow our users
to change their password on our new 389-ds server. *I
would like to
display the date that their password is due to expire,
and while Googling
around, I see a lot of references to pwdLastSet, but
about 95% of the articles
are referring to Active Directory. *I don't see
pwdLastSet amongst
the attributes in my default 389-ds setup. *Is it
there, or do I have
to add that attribute to every account?



Also, I currently have my pages set up where, when the
user logs in, it
detects our 'default' password and forces them to
change it. *Is there
some attribute in their account that I can set that I
can key off of and
force them to change their password when they login to
my site?




Thanks for any tips!

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov







--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users








--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users








--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-21-2011, 08:01 PM
 
Default Determine when a password is about to expire

I'm using PHP since I'm trying to make
a web-based mechanism for our users to change their passwords. *Many
of them aren't exactly tech-savvy, and are used to the old Windows way
of logging into our Windows machine, and being told that they must change
their password. *I'm trying to come up with a way to do that for them.



Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov








From:
Rich Megginson <rmeggins@redhat.com>



To:
389-users@lists.fedoraproject.org

Date:
01/21/2011 03:18 PM

Subject:
Re: [389-users] Determine when a password
is about to expire

Sent by:
389-users-bounces@lists.fedoraproject.org








On 01/21/2011 12:20 PM, Aaron Hagopian wrote:

Harry,



This is the pattern I use to parse the date in java: "yyyyMMddHHmmss'Z'".
*You can probably deduce what the values represent by looking at the
pattern. *Also the times are stored in UTC so you'll probably want
to convert that to the local timezone if you're going to display the date/time
to the user. *



Aaron



2011/1/21 <harry.devine@faa.gov>



I can get the passwordexpirationtime value, but I'm unsure what you mean
by "set the password expiration to occur immediately". *I'm
coming from the Windows world, so I'm used to the "User must change
password at next logon" checkbox. *I don't see that anywhere
on the GUI, so I'm unclear how you set that.



Also, how do I manipulate the dates? *I get something similar to 20110122161029Z
(for example) for passwordexpirationtime. *How do I convert that to
a proper date format?

What programming language are you using?

http://en.wikipedia.org/wiki/ISO_8601
- the format is used with no separators (e.g. 20110122 instead of 2011-01-22)
and no "T" between the date and the time.

Also, I just changed my account's password
while testing, and I see that passwordexpirationtime got reset to 19700101000000Z.
*What does the 1970xxx value represent?

That is a special value meaning the password needs to
be changed.



Thanks,

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov







From:

James Roman <james.roman@ssaihq.com>


To:

389-users@lists.fedoraproject.org


Date:

01/21/2011 10:17 AM


Subject:

Re: [389-users] Determine when a password
is about to expire

Sent by:

389-users-bounces@lists.fedoraproject.org












Most LDAP servers use a different schema than the Microsoft version and
work from the opposite direction. Try querying "passwordexpirationtime".
You can do a search for the specific password schema with the following
info: 2.16.840.1.113730.3.2.12 *passwordObject



I think it is more common to:

1. administratively set the password on a user account

2. set the password expiration to occur immediately.

3. set the passwordGraceUserTime for a time period that allows the user
to log in solely to change their password.



However, you must explicitly program your site to gracefully handle this
situation (condition where passwordexpirationtime < now < passwordGraceUserTime)
, since the user's LDAP authentication attempt against the directory will
fail (with an error indicating the password has expired).



On 01/21/2011 09:45 AM, harry.devine@faa.gov
wrote:



I am in the process of creating a web-based mechanism to allow our users
to change their password on our new 389-ds server. *I would like to
display the date that their password is due to expire, and while Googling
around, I see a lot of references to pwdLastSet, but about 95% of the articles
are referring to Active Directory. *I don't see pwdLastSet amongst
the attributes in my default 389-ds setup. *Is it there, or do I have
to add that attribute to every account?



Also, I currently have my pages set up where, when the user logs in, it
detects our 'default' password and forces them to change it. *Is there
some attribute in their account that I can set that I can key off of and
force them to change their password when they login to my site?




Thanks for any tips!

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov






--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users






--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users







--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users

--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 01-24-2011, 01:26 PM
James Roman
 
Default Determine when a password is about to expire

When I went through this exercise, I learned that PHP alone was not
going to work well, especially if you ever need to use password
synchronization with another password system (I.E. AD sync). The PHP
way of changing LDAP password essentially involves encrypting and
encoding the password within your PHP application and writing that
encrypted and encoded password directly to the user's password
attribute. This prevents password synchronization to external
systems. Ideally you want to use the ldapv3 ldappasswd mechanism for
changing your password within the directory. That way the directory
can read and propagate password changes correctly. Since PHP did not
contain a ldappasswd module, I ended up writing a PHP front-end
which passes the authentication request to separate Perl script to
actually change the password. There is a similar sourceforge project
called locksmith, but it also does the password changes the wrong
way (and encodes shorter passwords improperly, if I remember
correctly.)



On 01/21/2011 04:01 PM, harry.devine@faa.gov wrote:



I'm using PHP since I'm trying to
make
a web-based mechanism for our users to change their passwords.
*Many
of them aren't exactly tech-savvy, and are used to the old
Windows way
of logging into our Windows machine, and being told that they
must change
their password. *I'm trying to come up with a way to do that for
them.




Thanks,


Harry




Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov









From:

Rich Megginson
<rmeggins@redhat.com>





To:

389-users@lists.fedoraproject.org



Date:

01/21/2011 03:18 PM



Subject:

Re: [389-users]
Determine when a password
is about to expire



Sent
by:

389-users-bounces@lists.fedoraproject.org












On 01/21/2011 12:20 PM, Aaron Hagopian wrote:


Harry,




This is the pattern I use to parse the date in
java: "yyyyMMddHHmmss'Z'".
*You can probably deduce what the values represent by looking at
the
pattern. *Also the times are stored in UTC so you'll probably
want
to convert that to the local timezone if you're going to display
the date/time
to the user. *




Aaron




2011/1/21 <harry.devine@faa.gov>




I can get the passwordexpirationtime value, but I'm unsure what
you mean
by "set the password expiration to occur immediately". *I'm
coming from the Windows world, so I'm used to the "User must
change
password at next logon" checkbox. *I don't see that anywhere
on the GUI, so I'm unclear how you set that.



Also, how do I manipulate the dates? *I get something similar to
20110122161029Z
(for example) for passwordexpirationtime. *How do I convert that
to
a proper date format?


What programming language are you using?

http://en.wikipedia.org/wiki/ISO_8601
- the format is used with no separators (e.g. 20110122 instead
of 2011-01-22)
and no "T" between the date and the time.


Also, I just changed my account's
password
while testing, and I see that passwordexpirationtime got reset
to 19700101000000Z.
*What does the 1970xxx value represent?


That is a special value meaning the password needs
to
be changed.




Thanks,


Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov








From:


James Roman
<james.roman@ssaihq.com>




To:


389-users@lists.fedoraproject.org




Date:


01/21/2011 10:17 AM




Subject:


Re: [389-users]
Determine when a password
is about to expire



Sent
by:


389-users-bounces@lists.fedoraproject.org

















Most LDAP servers use a different schema than the Microsoft
version and
work from the opposite direction. Try querying
"passwordexpirationtime".
You can do a search for the specific password schema with the
following
info: 2.16.840.1.113730.3.2.12 *passwordObject



I think it is more common to:

1. administratively set the password on a user account

2. set the password expiration to occur immediately.

3. set the passwordGraceUserTime for a time period that allows
the user
to log in solely to change their password.



However, you must explicitly program your site to gracefully
handle this
situation (condition where passwordexpirationtime < now <
passwordGraceUserTime)
, since the user's LDAP authentication attempt against the
directory will
fail (with an error indicating the password has expired).



On 01/21/2011 09:45 AM, harry.devine@faa.gov
wrote:



I am in the process of creating a web-based mechanism to allow
our users
to change their password on our new 389-ds server. *I would like
to
display the date that their password is due to expire, and while
Googling
around, I see a lot of references to pwdLastSet, but about 95%
of the articles
are referring to Active Directory. *I don't see pwdLastSet
amongst
the attributes in my default 389-ds setup. *Is it there, or do I
have
to add that attribute to every account?



Also, I currently have my pages set up where, when the user logs
in, it
detects our 'default' password and forces them to change it. *Is
there
some attribute in their account that I can set that I can key
off of and
force them to change their password when they login to my site?




Thanks for any tips!

Harry



Harry Devine

Common ARTS Software Development

AJT-144

(609)485-4218

Harry.Devine@faa.gov






--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users







--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users








--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users






--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 07:08 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org