Hi James,
I have a similar problem but instead of RACF I have to run
ldapsearch against a Windows AD.
Anyway, I think the approach I tried would help you. Let's look at
the ldapsearch I am executing:
---------------------- 8< --------------------------------
#
# In this case, I am capturing how long the password could be maintained
(in our case: 90 days)
# In order to find that value I have to "ask" for the "maxPwdAge" AD
parameter and putting the value at the
# MAX_PWD_AGE environment variable.
# In your case, you have to find out which parameter you need to ask RACF
for!!
# Take a look at the "2>> $LOG". That means the error messages that really
matters goes to the $LOG file.
# From the stdout I will capture the value requested using "grep"
#
MAX_PWD_AGE=`ldapsearch -z 1 -h $2 -b
"dc=$4,dc=intrabb,dc=bb,dc=com,dc=br" -x -D
"CN=$1,CN=Users,DC=$4,DC=intrabb,DC=bb,DC=com,DC=br" -w $3 -LLL maxPwdAge
2>> $LOG | grep maxPwdAge | head -1 | cut -f2 -d':'`
RET=$?
if [ "$MAX_PWD_AGE" = "" -o $RET -ne 0 ] ; then
# If the variable is NULL or the return code of ldapsearch is not
zero, some problem ocurred ....
ERR_AD=`tail -1 $LOG | grep ", data" | cut -d',' -f3 | awk '{print
$2}'`
echo "Return from ldapsearch=$RET - MAX_PWD_AGE=$MAX_PWD_AGE" >>
$LOG
echo "Err AD=$ERR_AD" >> $LOG
# Just for curiosity ....
## Error codes, for AD, extracted from:
http://forum.java.sun.com/thread.jspa?threadID=703398&tstart=30
##Here is a list of Active Directory errors:
##525 - user not found (or account does not exist)
##52e - invalid credentials (username does exist but credentials/password
are not correct)
## credentials are the entire -D args. Example:
## If Einsten was -D "cn=einsten,cn=professor,dc=bb,dc=com,dc=br" and
Einstein changed
## to "cn=einstein,cn=cientist,..." so the error will be (I think)
52e (or maybe
## just the password is wrong ;))
##530 - not permitted to logon at this time
##532 - password expired
##533 - account disabled
##701 - account expired
##773 - user must reset password
##775 - account locked out
.... doing the necessary things .....
-------------------------- 8< ----------------------------------
Hope this helps.
BTW, I am subscribed in a digest mode so if you need more
information please CC me.
Regards.
---------------------------------------------------------
Ulisses de Sousa Penna
Analista Consultor - Banco do Brasil
Fone: +55-61-3310-6320 Fax: +55-61-3310-6435
---------------------------------------------------------
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
