On Fri, 27 Oct 2023 23:48:22 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:
> Hi Team,
>
> Is it possible to make a LDAP-query that returns whether an account
> is expired or not?
>
> I am aware that it is possible to do the maths against the
> "accountExpires" attribute, but that requires some scripting
around
> the query.
>
> - Kees.
>
>
Would that it was so simple.
There is a flag 'ADS_UF_PASSWORD_EXPIRED' in the userAccountControl
attribute, but you would have to obtain the value from that attribute
and check if '8388608' is set, I am not sure if Samba uses this.
Windows has replaced the above with the aptly named
'ms-DS-User-Password-Expired' attribute which, as far as I can tell,
Samba knows nothing about.
So, you are left with a couple of options:
Check if the 'computed' attribute
'msDS-UserPasswordExpiryTimeComputed'
exists and if it does, turn that into a Unix date.
Or calculate the expiry time from the contents of the 'maxPwdAge' and
the accounts 'pwdLastSet' attributes.
Rowland