My recollection from a bunch of Perl/LDAP I wrote against AD a lifetime ago is that getting this from LDAP is painful. First, "Password Expiration" is not stored with each user object. Instead, you must access the "Password last changed" attribute, then adjust this by your domain's password expiration policy.
To make life more fun, the "Password Last Changed" value is not an ordinary timestamp, but rather is encoded using the "LargeInteger" syntax (search for "FileTime"), which is an 8-byte string representing the number of 100-nanosecond increments from 1/1/1601. Thankfully, this means I can expire the passwords of the early European settlers of America. It can be done, but it ain't fun. HTH, -Matt -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Velpi Sent: Wednesday, July 25, 2007 4:59 PM To: Yale CAS mailing list Subject: Re: CAS and Active Directory Password Expiration > I'm not familiar with AD's password expiration settings. What's > supposed to happen if the password is expired? I'm not entirely sure, but I always thought it was just another attribute that can be checked from the LDAP interface. (If that is true,) it fits perfectly in this topic: http://www.ja-sig.org/wiki/display/CAS/Expired+Password+Integration -- Velpi _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
