I'm also working on it right now and using perl to do that, so I used filter (objectclass=ntUser) and requesting the passwordExpirationTime attribute like this:
filter => "objectclass=ntUser", attrs => ["entrydn","mail","passwordExpirationTime"], ); In my case, I prefer rather than write attributes to a file. hope that helps in your case. On Thu, Nov 3, 2016 at 6:44 AM, Predrag Zečević - Technical Support Analyst <[email protected]> wrote: > On 11/ 3/16 08:10 AM, Todor Petkov wrote: > >> Hello, >> >> I am trying to get the user password expiration date, so I can write a >> script to send warning email before this. I am running the following: >> ldapsearch -v -LLLx -h localhost -b >> 'cn="cn=nsPwPolicyEntry,uid=user,ou=People,dc=domain,dc=com" >> ,cn=nsPwPolicyContainer,ou=People,dc=domain,dc=com' >> "(objectclass=ldapsubentry)" >> >> But I don't see such attribute in the results. Can you give me a hint >> what's the ldap query? My versions are: >> >> 389-admin-console-1.1.8-1.el6.noarch >> 389-ds-1.2.2-1.el6.noarch >> 389-adminutil-1.1.19-1.el6.x86_64 >> 389-ds-base-libs-1.2.11.15-75.el6_8.x86_64 >> 389-ds-base-1.2.11.15-75.el6_8.x86_64 >> 389-ds-console-1.2.6-1.el6.noarch >> 389-admin-console-doc-1.1.8-1.el6.noarch >> 389-admin-1.1.35-1.el6.x86_64 >> 389-console-1.1.7-1.el6.noarch >> 389-ds-console-doc-1.2.6-1.el6.noarch >> 389-dsgw-1.1.11-1.el6.x86_64 >> >> >> Thanks in advance, >> _______________________________________________ >> 389-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> >> > Hi, > > we are using something like: > > $ ldapsearch -xLLL -D "cn=Directory Manager" -W -b > "cn=nsPwPolicyContainer,ou=people,dc=my-domain,dc=com" > "(&(objectClass=ldapsubentry)(objectClass=passwordPolicy)(cn=${givenName} > ${sn}))" > > to get password policy setup for user "cn=${givenName} ${sn}" and check > for values: > > passwordInHistory: 5 > passwordMinAge: 600 > passwordChange: on > passwordUnlock: on > passwordLockoutDuration: 1800 > passwordResetFailureCount: 600 > passwordLockout: on > passwordMaxFailure: 10 > passwordMaxRepeats: 0 > passwordStorageScheme: ssha > passwordMaxAge: 7776000 > passwordExp: on > passwordGraceLimit: 6 > passwordMin8bit: 0 > passwordMinAlphas: 0 > passwordMinSpecials: 1 > passwordMinDigits: 1 > passwordMinLowers: 1 > passwordMinUppers: 1 > passwordMinTokenLength: 5 > passwordMinCategories: 4 > passwordMinLength: 8 > passwordCheckSyntax: on > passwordMustChange: off > > > Password data is retrieved from LDAP backup ldif, created with command: > > $ /usr/lib${ARCH}/dirsrv/slapd-${PADL}/db2ldif.pl -U -N -u -C -D > 'cn=Directory Manager' -w - -n userRoot -a /tmp/LDAP_dump.ldif > > e.g. searching for password data for "cn=${givenName} ${sn}" in output > file /tmp/LDAP_dump.ldif > > passwordExpWarned: 0 > passwordExpirationTime: 20161214070525Z > passwordGraceUserTime: 0 > passwordAllowChangeTime: 20160915071525Z > passwordHistory: 20160915070525Z{SSHA}HASH > passwordHistory: 20150927121604Z{SSHA}HASH > passwordHistory: 20151228130437Z{SSHA}HASH > passwordHistory: 20160324145753Z{SSHA}HASH > passwordHistory: 20160621103821Z{SSHA}HASH > > Script parses output for user; determines e-mail address and if reminder > has to be sent... (maybe there is better way to get that data, but this one > works). > > HTH > > With best regards. > Predrag Zečević > -- > Predrag Zečević > Technical Support Analyst > 2e Systems GmbH > > Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894 > Mobile: +49 174 3109 288, Skype: predrag.zecevic > E-mail: [email protected] > > Headquarter: 2e Systems GmbH, Königsteiner Str. 87, > 65812 Bad Soden am Taunus, Germany > Company registration: Amtsgericht Königstein (Germany), HRB 7303 > Managing director: Phil Douglas > > http://www.2e-systems.com/ - Making your business fly! > > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
