Fedora directory users - Mar 2008 - Password Warnings

I am new to the list, and I apologize if this question has been answered
before.

I haven''t done much programming for LDAP, though I have been managing
directories for years. I am working with some developers, who a) aren''t
very
imaginative, b) not very clever, and c) lazy.  So I need to know how to get
at the password information that says a password has expired, is about to
expire, et. al. I have tried to query for the attributes using ldapsearch
that seem to be what I want, like passwordexpirationtime, but I get nothing
back.  They all figure I should know the magic incantation, since I know how
to make the directory work, and usually that would be the case. This time I
am stuck. Anyone solved this problem. I am running FDS 1.0.2, and 1.0.4. I
get the same result in both.  Any help would be great.

Did you make sure the account you login to do the ldapsearch has the right
privilege (ACI) to retrieve the password attributes you want?

What programming language you guys use to talk to the LDAP?

- dc

On Fri, Mar 7, 2008 at 12:17 AM, Legatus <lists@runyanrants.net> wrote:
> I am new to the list, and I apologize if this question has been answered
> before.
>
> I haven''t done much programming for LDAP, though I have been
managing
> directories for years. I am working with some developers, who a)
aren''t very
> imaginative, b) not very clever, and c) lazy.  So I need to know how to get
> at the password information that says a password has expired, is about to
> expire, et. al. I have tried to query for the attributes using ldapsearch
> that seem to be what I want, like passwordexpirationtime, but I get nothing
> back.  They all figure I should know the magic incantation, since I know
how
> to make the directory work, and usually that would be the case. This time I
> am stuck. Anyone solved this problem. I am running FDS 1.0.2, and 1.0.4. I
> get the same result in both.  Any help would be great.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

Legatus wrote:
> I am new to the list, and I apologize if this question has been 
> answered before.
>
> I haven''t done much programming for LDAP, though I have been
managing
> directories for years. I am working with some developers, who a) 
> aren''t very imaginative, b) not very clever, and c) lazy.  So I
need
> to know how to get at the password information that says a password 
> has expired, is about to expire, et. al. I have tried to query for the 
> attributes using ldapsearch that seem to be what I want, like 
> passwordexpirationtime, but I get nothing back.
Can you post your exact ldapsearch command line?  Note that 
passwordexpirationtime and other password attributes in user entries are 
operational attributes - this means they are not retrieved by default 
with an LDAP search but must be explicitly listed in the list of 
attributes to retrieve.
> They all figure I should know the magic incantation, since I know how 
> to make the directory work, and usually that would be the case. This 
> time I am stuck. Anyone solved this problem. I am running FDS 1.0.2, 
> and 1.0.4. I get the same result in both.  Any help would be great.
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

I have tried with this search, and also using the userid that I am
requesting the information  from. So "uid=me,ou=people,dc=mydc" to get
info
on "uid=me,ou=people,dc=mydc"

ldapsearch -x -b ''ou=people,dc=mydc'' -s sub -D
''cn=directory manager'' -w
<password> "objectclass=*" attrs="passwordExpWarned
passwordExpirationTime"

On Fri, Mar 7, 2008 at 9:39 AM, Rich Megginson <rmeggins@redhat.com>
wrote:
> Legatus wrote:
> > I am new to the list, and I apologize if this question has been
> > answered before.
> >
> > I haven''t done much programming for LDAP, though I have been
managing
> > directories for years. I am working with some developers, who a)
> > aren''t very imaginative, b) not very clever, and c) lazy.  So
I need
> > to know how to get at the password information that says a password
> > has expired, is about to expire, et. al. I have tried to query for the
> > attributes using ldapsearch that seem to be what I want, like
> > passwordexpirationtime, but I get nothing back.
> Can you post your exact ldapsearch command line?  Note that
> passwordexpirationtime and other password attributes in user entries are
> operational attributes - this means they are not retrieved by default
> with an LDAP search but must be explicitly listed in the list of
> attributes to retrieve.
> > They all figure I should know the magic incantation, since I know how
> > to make the directory work, and usually that would be the case. This
> > time I am stuck. Anyone solved this problem. I am running FDS 1.0.2,
> > and 1.0.4. I get the same result in both.  Any help would be great.
> >
------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

I have used just command line tools. The developers are using java.

On Fri, Mar 7, 2008 at 8:55 AM, Chun Tat David Chu <
beyonddc.storage@gmail.com> wrote:
> Did you make sure the account you login to do the ldapsearch has the right
> privilege (ACI) to retrieve the password attributes you want?
>
> What programming language you guys use to talk to the LDAP?
>
> - dc
>
> On Fri, Mar 7, 2008 at 12:17 AM, Legatus <lists@runyanrants.net>
wrote:
>
> > I am new to the list, and I apologize if this question has been
answered
> > before.
> >
> > I haven''t done much programming for LDAP, though I have been
managing
> > directories for years. I am working with some developers, who a)
aren''t very
> > imaginative, b) not very clever, and c) lazy.  So I need to know how
to get
> > at the password information that says a password has expired, is about
to
> > expire, et. al. I have tried to query for the attributes using
ldapsearch
> > that seem to be what I want, like passwordexpirationtime, but I get
nothing
> > back.  They all figure I should know the magic incantation, since I
know how
> > to make the directory work, and usually that would be the case. This
time I
> > am stuck. Anyone solved this problem. I am running FDS 1.0.2, and
1.0.4.
> > I get the same result in both.  Any help would be great.
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

I have tried with this search, and also using the userid that I am
requesting the information  from. So "uid=me,ou=people,dc=mydc" to get
info
on "uid=me,ou=people,dc=mydc"

ldapsearch -x -b ''ou=people,dc=mydc'' -s sub -D
''cn=directory manager'' -w
<password> "objectclass=*" attrs="passwordExpWarned
passwordExpirationTime"


On Fri, Mar 7, 2008 at 9:39 AM, Rich Megginson <rmeggins@redhat.com>
wrote:
> Legatus wrote:
> > I am new to the list, and I apologize if this question has been
> > answered before.
> >
> > I haven''t done much programming for LDAP, though I have been
managing
> > directories for years. I am working with some developers, who a)
> > aren''t very imaginative, b) not very clever, and c) lazy.  So
I need
> > to know how to get at the password information that says a password
> > has expired, is about to expire, et. al. I have tried to query for the
> > attributes using ldapsearch that seem to be what I want, like
> > passwordexpirationtime, but I get nothing back.
> Can you post your exact ldapsearch command line?  Note that
> passwordexpirationtime and other password attributes in user entries are
> operational attributes - this means they are not retrieved by default
> with an LDAP search but must be explicitly listed in the list of
> attributes to retrieve.
> > They all figure I should know the magic incantation, since I know how
> > to make the directory work, and usually that would be the case. This
> > time I am stuck. Anyone solved this problem. I am running FDS 1.0.2,
> > and 1.0.4. I get the same result in both.  Any help would be great.
> >
------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

Legatus wrote:
> I have tried with this search, and also using the userid that I am 
> requesting the information  from. So "uid=me,ou=people,dc=mydc"
to get
> info on "uid=me,ou=people,dc=mydc"
>
> ldapsearch -x -b ''ou=people,dc=mydc'' -s sub -D
''cn=directory manager''
> -w <password> "objectclass=*" attrs="passwordExpWarned
> passwordExpirationTime"
Don''t use attrs="..." Just specify them on the command line -
...
"objectclass=*" passwordExpWarned passwordExpirationTime
If you want all regular attributes plus the additional operational 
attributes, use "*" e.g.
ldapsearch .... "objectclass=*" \* passwordExpWarned
passwordExpirationTime
ldapsearch --help
...
usage: ldapsearch [options] [filter [attributes...]]
where:
  filter        RFC-2254 compliant LDAP search filter
  attributes    whitespace-separated list of attribute descriptions

Note that openldap has a special attribute called "+" but this is not 
supported by Fedora DS.
>
>
> On Fri, Mar 7, 2008 at 9:39 AM, Rich Megginson <rmeggins@redhat.com 
> <mailto:rmeggins@redhat.com>> wrote:
>
>     Legatus wrote:
>     > I am new to the list, and I apologize if this question has been
>     > answered before.
>     >
>     > I haven''t done much programming for LDAP, though I have
been
>     managing
>     > directories for years. I am working with some developers, who a)
>     > aren''t very imaginative, b) not very clever, and c) lazy.
So I need
>     > to know how to get at the password information that says a
password
>     > has expired, is about to expire, et. al. I have tried to query
>     for the
>     > attributes using ldapsearch that seem to be what I want, like
>     > passwordexpirationtime, but I get nothing back.
>     Can you post your exact ldapsearch command line?  Note that
>     passwordexpirationtime and other password attributes in user
>     entries are
>     operational attributes - this means they are not retrieved by default
>     with an LDAP search but must be explicitly listed in the list of
>     attributes to retrieve.
>     > They all figure I should know the magic incantation, since I
>     know how
>     > to make the directory work, and usually that would be the case.
This
>     > time I am stuck. Anyone solved this problem. I am running FDS
1.0.2,
>     > and 1.0.4. I get the same result in both.  Any help would be
great.
>     >
>    
------------------------------------------------------------------------
>     >
>     > --
>     > Fedora-directory-users mailing list
>     > Fedora-directory-users@redhat.com
>     <mailto:Fedora-directory-users@redhat.com>
>     > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>     >
>
>
>     --
>     Fedora-directory-users mailing list
>     Fedora-directory-users@redhat.com
>     <mailto:Fedora-directory-users@redhat.com>
>     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

I did that. I know I have done that in the past.  I see on one account the
passwordExpWarned, I don''t see passwordExpirationTime. We need to be
able to
give users warnings that the password will expire in N days.  Am I looking
in the wrong place, or is there a setting I haven''t set? I set up a
policy
that is supposed to expire passwords, and warn users.



On Fri, Mar 7, 2008 at 11:17 AM, Rich Megginson <rmeggins@redhat.com>
wrote:
> Legatus wrote:
> > I have tried with this search, and also using the userid that I am
> > requesting the information  from. So
"uid=me,ou=people,dc=mydc" to get
> > info on "uid=me,ou=people,dc=mydc"
> >
> > ldapsearch -x -b ''ou=people,dc=mydc'' -s sub -D
''cn=directory manager''
> > -w <password> "objectclass=*"
attrs="passwordExpWarned
> > passwordExpirationTime"
> Don''t use attrs="..." Just specify them on the command
line - ...
> "objectclass=*" passwordExpWarned passwordExpirationTime
> If you want all regular attributes plus the additional operational
> attributes, use "*" e.g.
> ldapsearch .... "objectclass=*" \* passwordExpWarned
> passwordExpirationTime
> ldapsearch --help
> ...
> usage: ldapsearch [options] [filter [attributes...]]
> where:
>  filter        RFC-2254 compliant LDAP search filter
>  attributes    whitespace-separated list of attribute descriptions
>
> Note that openldap has a special attribute called "+" but this is
not
> supported by Fedora DS.
> >
> >
> > On Fri, Mar 7, 2008 at 9:39 AM, Rich Megginson <rmeggins@redhat.com
> > <mailto:rmeggins@redhat.com>> wrote:
> >
> >     Legatus wrote:
> >     > I am new to the list, and I apologize if this question has
been
> >     > answered before.
> >     >
> >     > I haven''t done much programming for LDAP, though I
have been
> >     managing
> >     > directories for years. I am working with some developers, who
a)
> >     > aren''t very imaginative, b) not very clever, and c)
lazy.  So I
> need
> >     > to know how to get at the password information that says a
> password
> >     > has expired, is about to expire, et. al. I have tried to
query
> >     for the
> >     > attributes using ldapsearch that seem to be what I want, like
> >     > passwordexpirationtime, but I get nothing back.
> >     Can you post your exact ldapsearch command line?  Note that
> >     passwordexpirationtime and other password attributes in user
> >     entries are
> >     operational attributes - this means they are not retrieved by
> default
> >     with an LDAP search but must be explicitly listed in the list of
> >     attributes to retrieve.
> >     > They all figure I should know the magic incantation, since I
> >     know how
> >     > to make the directory work, and usually that would be the
case.
> This
> >     > time I am stuck. Anyone solved this problem. I am running FDS
> 1.0.2,
> >     > and 1.0.4. I get the same result in both.  Any help would be
> great.
> >     >
> >
> ------------------------------------------------------------------------
> >     >
> >     > --
> >     > Fedora-directory-users mailing list
> >     > Fedora-directory-users@redhat.com
> >     <mailto:Fedora-directory-users@redhat.com>
> >     >
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >     >
> >
> >
> >     --
> >     Fedora-directory-users mailing list
> >     Fedora-directory-users@redhat.com
> >     <mailto:Fedora-directory-users@redhat.com>
> >     https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> >
> >
------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

I did that. I know I have done that in the past.  I see on one account the
passwordExpWarned, I don''t see passwordExpirationTime. We need to be
able to
give users warnings that the password will expire in N days.  Am I looking
in the wrong place, or is there a setting I haven''t set? I set up a
policy
that is supposed to expire passwords, and warn users.

On Fri, Mar 7, 2008 at 11:17 AM, Rich Megginson <rmeggins@redhat.com>
wrote:
> Legatus wrote:
> > I have tried with this search, and also using the userid that I am
> > requesting the information  from. So
"uid=me,ou=people,dc=mydc" to get
> > info on "uid=me,ou=people,dc=mydc"
> >
> > ldapsearch -x -b ''ou=people,dc=mydc'' -s sub -D
''cn=directory manager''
> > -w <password> "objectclass=*"
attrs="passwordExpWarned
> > passwordExpirationTime"
> Don''t use attrs="..." Just specify them on the command
line - ...
> "objectclass=*" passwordExpWarned passwordExpirationTime
> If you want all regular attributes plus the additional operational
> attributes, use "*" e.g.
> ldapsearch .... "objectclass=*" \* passwordExpWarned
> passwordExpirationTime
> ldapsearch --help
> ...
> usage: ldapsearch [options] [filter [attributes...]]
> where:
>  filter        RFC-2254 compliant LDAP search filter
>  attributes    whitespace-separated list of attribute descriptions
>
> Note that openldap has a special attribute called "+" but this is
not
> supported by Fedora DS.
> >
> >
> > On Fri, Mar 7, 2008 at 9:39 AM, Rich Megginson <rmeggins@redhat.com
> > <mailto:rmeggins@redhat.com>> wrote:
> >
> >     Legatus wrote:
> >     > I am new to the list, and I apologize if this question has
been
> >     > answered before.
> >     >
> >     > I haven''t done much programming for LDAP, though I
have been
> >     managing
> >     > directories for years. I am working with some developers, who
a)
> >     > aren''t very imaginative, b) not very clever, and c)
lazy.  So I
> need
> >     > to know how to get at the password information that says a
> password
> >     > has expired, is about to expire, et. al. I have tried to
query
> >     for the
> >     > attributes using ldapsearch that seem to be what I want, like
> >     > passwordexpirationtime, but I get nothing back.
> >     Can you post your exact ldapsearch command line?  Note that
> >     passwordexpirationtime and other password attributes in user
> >     entries are
> >     operational attributes - this means they are not retrieved by
> default
> >     with an LDAP search but must be explicitly listed in the list of
> >     attributes to retrieve.
> >     > They all figure I should know the magic incantation, since I
> >     know how
> >     > to make the directory work, and usually that would be the
case.
> This
> >     > time I am stuck. Anyone solved this problem. I am running FDS
> 1.0.2,
> >     > and 1.0.4. I get the same result in both.  Any help would be
> great.
> >     >
> >
> ------------------------------------------------------------------------
> >     >
> >     > --
> >     > Fedora-directory-users mailing list
> >     > Fedora-directory-users@redhat.com
> >     <mailto:Fedora-directory-users@redhat.com>
> >     >
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >     >
> >
> >
> >     --
> >     Fedora-directory-users mailing list
> >     Fedora-directory-users@redhat.com
> >     <mailto:Fedora-directory-users@redhat.com>
> >     https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> >
> >
------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>

Legatus wrote:
> I did that. I know I have done that in the past.  I see on one account 
> the passwordExpWarned, I don''t see passwordExpirationTime. We need
to
> be able to give users warnings that the password will expire in N 
> days.  Am I looking in the wrong place, or is there a setting I 
> haven''t set? I set up a policy that is supposed to expire
passwords,
> and warn users.
One thing is that a user who has not had his/her password changed since 
password expiration was enabled will not have the passwordExpirationTime 
attribute in his/her entry, but you could add it manually.

Another thing - I''m not sure how it is possible that a user could have 
the passwordExpWarned but not the passwordExpirationTime attribute.  
Just looking at the code, everywhere it sets passwordExpWarned it also 
sets passwordExpirationTime.

I started with an existing database (Example.ldif)

I then enabled password expiration - ldapsearch showed no 
passwordExpWarned nor passwordExpirationTime

Then, as directory manager, I used ldapmodify to modify a user''s 
password - the search showed this:
ldapsearch -D "cn=directory manager" ... "uid=scarter" 
passwordExpirationTime passwordExpWarned
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: uid=scarter
# requesting: passwordExpirationTime passwordExpWarned
#

# scarter, People, example.com
dn: uid=scarter, ou=People, dc=example,dc=com
passwordExpirationTime: 20080615185146Z
passwordExpWarned: 0

>  
> On Fri, Mar 7, 2008 at 11:17 AM, Rich Megginson <rmeggins@redhat.com 
> <mailto:rmeggins@redhat.com>> wrote:
>
>     Legatus wrote:
>     > I have tried with this search, and also using the userid that I am
>     > requesting the information  from. So
"uid=me,ou=people,dc=mydc"
>     to get
>     > info on "uid=me,ou=people,dc=mydc"
>     >
>     > ldapsearch -x -b ''ou=people,dc=mydc'' -s sub -D
''cn=directory
>     manager''
>     > -w <password> "objectclass=*"
attrs="passwordExpWarned
>     > passwordExpirationTime"
>     Don''t use attrs="..." Just specify them on the
command line - ...
>     "objectclass=*" passwordExpWarned passwordExpirationTime
>     If you want all regular attributes plus the additional operational
>     attributes, use "*" e.g.
>     ldapsearch .... "objectclass=*" \* passwordExpWarned
>     passwordExpirationTime
>     ldapsearch --help
>     ...
>     usage: ldapsearch [options] [filter [attributes...]]
>     where:
>      filter        RFC-2254 compliant LDAP search filter
>      attributes    whitespace-separated list of attribute descriptions
>
>     Note that openldap has a special attribute called "+" but
this is not
>     supported by Fedora DS.
>     >
>     >
>     > On Fri, Mar 7, 2008 at 9:39 AM, Rich Megginson
>     <rmeggins@redhat.com <mailto:rmeggins@redhat.com>
>     > <mailto:rmeggins@redhat.com
<mailto:rmeggins@redhat.com>>> wrote:
>     >
>     >     Legatus wrote:
>     >     > I am new to the list, and I apologize if this question
has
>     been
>     >     > answered before.
>     >     >
>     >     > I haven''t done much programming for LDAP, though
I have been
>     >     managing
>     >     > directories for years. I am working with some developers,
>     who a)
>     >     > aren''t very imaginative, b) not very clever, and
c) lazy.
>      So I need
>     >     > to know how to get at the password information that says
a
>     password
>     >     > has expired, is about to expire, et. al. I have tried to
query
>     >     for the
>     >     > attributes using ldapsearch that seem to be what I want,
like
>     >     > passwordexpirationtime, but I get nothing back.
>     >     Can you post your exact ldapsearch command line?  Note that
>     >     passwordexpirationtime and other password attributes in user
>     >     entries are
>     >     operational attributes - this means they are not retrieved
>     by default
>     >     with an LDAP search but must be explicitly listed in the list
of
>     >     attributes to retrieve.
>     >     > They all figure I should know the magic incantation,
since I
>     >     know how
>     >     > to make the directory work, and usually that would be the
>     case. This
>     >     > time I am stuck. Anyone solved this problem. I am running
>     FDS 1.0.2,
>     >     > and 1.0.4. I get the same result in both.  Any help would
>     be great.
>     >     >
>     >    
>    
------------------------------------------------------------------------
>     >     >
>     >     > --
>     >     > Fedora-directory-users mailing list
>     >     > Fedora-directory-users@redhat.com
>     <mailto:Fedora-directory-users@redhat.com>
>     >     <mailto:Fedora-directory-users@redhat.com
>     <mailto:Fedora-directory-users@redhat.com>>
>     >     >
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>     >     >
>     >
>     >
>     >     --
>     >     Fedora-directory-users mailing list
>     >     Fedora-directory-users@redhat.com
>     <mailto:Fedora-directory-users@redhat.com>
>     >     <mailto:Fedora-directory-users@redhat.com
>     <mailto:Fedora-directory-users@redhat.com>>
>     >     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>     >
>     >
>     >
>     >
>    
------------------------------------------------------------------------
>     >
>     > --
>     > Fedora-directory-users mailing list
>     > Fedora-directory-users@redhat.com
>     <mailto:Fedora-directory-users@redhat.com>
>     > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>     >
>
>
>     --
>     Fedora-directory-users mailing list
>     Fedora-directory-users@redhat.com
>     <mailto:Fedora-directory-users@redhat.com>
>     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

On Fri, Mar 7, 2008 at 1:18 PM, Rich Megginson <rmeggins@redhat.com>
wrote:
> Legatus wrote:
> > I did that. I know I have done that in the past.  I see on one account
> > the passwordExpWarned, I don''t see passwordExpirationTime. We
need to
> > be able to give users warnings that the password will expire in N
> > days.  Am I looking in the wrong place, or is there a setting I
> > haven''t set? I set up a policy that is supposed to expire
passwords,
> > and warn users.
> One thing is that a user who has not had his/her password changed since
> password expiration was enabled will not have the passwordExpirationTime
> attribute in his/her entry, but you could add it manually.
>
> Another thing - I''m not sure how it is possible that a user could
have
> the passwordExpWarned but not the passwordExpirationTime attribute.
> Just looking at the code, everywhere it sets passwordExpWarned it also
> sets passwordExpirationTime.
>
That is why I am confused. I thought that was how it was supposed to work.

Legatus wrote:
> On Fri, Mar 7, 2008 at 1:18 PM, Rich Megginson <rmeggins@redhat.com 
> <mailto:rmeggins@redhat.com>> wrote:
>
>     Legatus wrote:
>     > I did that. I know I have done that in the past.  I see on one
>     account
>     > the passwordExpWarned, I don''t see
passwordExpirationTime. We
>     need to
>     > be able to give users warnings that the password will expire in N
>     > days.  Am I looking in the wrong place, or is there a setting I
>     > haven''t set? I set up a policy that is supposed to expire
passwords,
>     > and warn users.
>     One thing is that a user who has not had his/her password changed
>     since
>     password expiration was enabled will not have the
>     passwordExpirationTime
>     attribute in his/her entry, but you could add it manually.
>
>     Another thing - I''m not sure how it is possible that a user
could have
>     the passwordExpWarned but not the passwordExpirationTime attribute.
>     Just looking at the code, everywhere it sets passwordExpWarned it also
>     sets passwordExpirationTime.
>
>
> That is why I am confused. I thought that was how it was supposed to 
> work.
If you update the password, do both attributes appear?
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Okay, I have been trying a lot of different things, and I don''t see
what I
need to see. Let me try a slightly different question. Can someone post a
working solution that includes password expiration and warnings in their
application? Can they post OS and version, Fedora DS version, and the method
that they use for detecting expired, and nearly expired passwords? Any
configuration settings required?

Thanks for the help so far,

On Fri, Mar 7, 2008 at 4:30 PM, Rich Megginson <rmeggins@redhat.com>
wrote:
> Legatus wrote:
> > On Fri, Mar 7, 2008 at 1:18 PM, Rich Megginson <rmeggins@redhat.com
> > <mailto:rmeggins@redhat.com>> wrote:
> >
> >     Legatus wrote:
> >     > I did that. I know I have done that in the past.  I see on
one
> >     account
> >     > the passwordExpWarned, I don''t see
passwordExpirationTime. We
> >     need to
> >     > be able to give users warnings that the password will expire
in N
> >     > days.  Am I looking in the wrong place, or is there a setting
I
> >     > haven''t set? I set up a policy that is supposed to
expire
> passwords,
> >     > and warn users.
> >     One thing is that a user who has not had his/her password changed
> >     since
> >     password expiration was enabled will not have the
> >     passwordExpirationTime
> >     attribute in his/her entry, but you could add it manually.
> >
> >     Another thing - I''m not sure how it is possible that a
user could
> have
> >     the passwordExpWarned but not the passwordExpirationTime
attribute.
> >     Just looking at the code, everywhere it sets passwordExpWarned it
> also
> >     sets passwordExpirationTime.
> >
> >
> > That is why I am confused. I thought that was how it was supposed to
> > work.
> If you update the password, do both attributes appear?
> >
------------------------------------------------------------------------
>

On Friday 14 March 2008 05:55, Legatus wrote:

I''ve attached a script we were using on our old operational openldap
servers.
I haven''t updated it much since we started running fds,  but it should
give
you some ideas on how to find out if user''s passwords are expiring.

Basically,  we just run it from cron nightly and it will email each user whose 
password expiry is withing their shadowWarning threshold,  then email the 
admin all the users that are within their threshold.

Ryan

> Okay, I have been trying a lot of different things, and I don''t
see what I
> need to see. Let me try a slightly different question. Can someone post a
> working solution that includes password expiration and warnings in their
> application? Can they post OS and version, Fedora DS version, and the
> method that they use for detecting expired, and nearly expired passwords?
> Any configuration settings required?
>
> Thanks for the help so far,
>
> On Fri, Mar 7, 2008 at 4:30 PM, Rich Megginson <rmeggins@redhat.com>
wrote:
> > Legatus wrote:
> > > On Fri, Mar 7, 2008 at 1:18 PM, Rich Megginson
<rmeggins@redhat.com
> > > <mailto:rmeggins@redhat.com>> wrote:
> > >
> > >     Legatus wrote:
> > >     > I did that. I know I have done that in the past.  I see
on one
> > >
> > >     account
> > >
> > >     > the passwordExpWarned, I don''t see
passwordExpirationTime. We
> > >
> > >     need to
> > >
> > >     > be able to give users warnings that the password will
expire in N
> > >     > days.  Am I looking in the wrong place, or is there a
setting I
> > >     > haven''t set? I set up a policy that is supposed
to expire
> >
> > passwords,
> >
> > >     > and warn users.
> > >
> > >     One thing is that a user who has not had his/her password
changed
> > >     since
> > >     password expiration was enabled will not have the
> > >     passwordExpirationTime
> > >     attribute in his/her entry, but you could add it manually.
> > >
> > >     Another thing - I''m not sure how it is possible that
a user could
> >
> > have
> >
> > >     the passwordExpWarned but not the passwordExpirationTime
attribute.
> > >     Just looking at the code, everywhere it sets
passwordExpWarned it
> >
> > also
> >
> > >     sets passwordExpirationTime.
> > >
> > >
> > > That is why I am confused. I thought that was how it was supposed
to
> > > work.
> >
> > If you update the password, do both attributes appear?
> >
> > >
-----------------------------------------------------------------------
> > >-