Vsevolod (Simon) Ilyushchenko
2005-Nov-09 23:01 UTC
[Fedora-directory-users] How to ldapsearch password expiration data?
Hi, I finally found where the password expiration data are located. If I do a database export from the GUI, I can see the entry: *** dn: cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu modifyTimestamp: 20051109200121Z modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo t passwordMaxAge: 864000000 passwordWarning: 0 passwordMinAge: 0 passwordExp: on passwordGraceLimit: 0 objectClass: ldapsubentry objectClass: passwordpolicy objectClass: top cn: cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot createTimestamp: 20051109200121Z nsUniqueId: 97b5d182-1dd111b2-80f8db9c-cc6f0000 *** However, if I ldapsearch -b ''cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu'' I''m not getting any subentries: *** # extended LDIF # # LDAPv3 # base <cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu> with scope sub # filter: (objectclass=*) # requesting: ALL # # search result search: 3 result: 0 Success *** I''ve tried connecting both as "cn=Manager" and "uid=admin". Is there a way to access these data programmatically using ldapsearch? Thanks, Simon -- Simon (Vsevolod ILyushchenko) simonf@cshl.edu http://www.simonf.com "Think like a man of action, act like a man of thought." Henri Bergson
Richard Megginson
2005-Nov-09 23:18 UTC
Re: [Fedora-directory-users] How to ldapsearch password expiration data?
Those attributes are operational, so you must explicitly ask for them on the ldapsearch command line e.g. ldapsearch -b ''cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu'' passwordMaxAge passwordWarning passwordMinAge passwordExp passwordGraceLimit In addition, ldapsubentry objects are hidden from normal searches. You must explicitly request objects of this type by adding the (objectclass=ldapsubentry) to your search filter e.g. ''(|(objectclass=*)(objectclass=ldapsubentry))'' to get all regular entries and sub entries, or just ''(objectclass=ldapsubentry)'' to get only the sub entry objects. Vsevolod (Simon) Ilyushchenko wrote:> Hi, > > I finally found where the password expiration data are located. If I > do a database export from the GUI, I can see the entry: > > *** > dn: > cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu > > modifyTimestamp: 20051109200121Z > modifiersName: > uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo > t > passwordMaxAge: 864000000 > passwordWarning: 0 > passwordMinAge: 0 > passwordExp: on > passwordGraceLimit: 0 > objectClass: ldapsubentry > objectClass: passwordpolicy > objectClass: top > cn: cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu > creatorsName: > uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot > createTimestamp: 20051109200121Z > nsUniqueId: 97b5d182-1dd111b2-80f8db9c-cc6f0000 > *** > > However, if I ldapsearch -b > ''cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu'' > > > I''m not getting any subentries: > > *** > # extended LDIF > # > # LDAPv3 > # base > <cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu> > with scope sub > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 3 > result: 0 Success > *** > > I''ve tried connecting both as "cn=Manager" and "uid=admin". > > Is there a way to access these data programmatically using ldapsearch? > > Thanks, > Simon >
Vsevolod (Simon) Ilyushchenko
2005-Nov-10 17:05 UTC
Re: [Fedora-directory-users] How to ldapsearch password expiration data?
Rich, Thanks - I can see them now. However, now I have questions about the semantics of password expiration. The NIS+ tables store the account (not password) expiration date as the absolute day number (from year 0). I''m trying to replicate these data in FDS. 1. First of all, I''m not sure that the password expiration feature does the same thing. When the password expires, will the user be prompted to change it or will he be locked out? 2. Second, I can''t even test it, because I can''t seem to force an expiration. The passwordMaxAge attribute is the number of days after which the password will expire. Well, it''s the number of days *since when*? Since today? How is it updated then as the time goes by? Or since the first logon? Where is it stored then? I am truly missing something. The admin guide does not make it clear. Thanks, Simon Richard Megginson wrote on 11/09/2005 06:18 PM:> Those attributes are operational, so you must explicitly ask for them on > the ldapsearch command line e.g. > ldapsearch -b > ''cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu'' > passwordMaxAge passwordWarning passwordMinAge passwordExp > passwordGraceLimit > > In addition, ldapsubentry objects are hidden from normal searches. You > must explicitly request objects of this type by adding the > (objectclass=ldapsubentry) to your search filter e.g. > ''(|(objectclass=*)(objectclass=ldapsubentry))'' > to get all regular entries and sub entries, or just > ''(objectclass=ldapsubentry)'' > to get only the sub entry objects.-- Simon (Vsevolod ILyushchenko) simonf@cshl.edu http://www.simonf.com "Think like a man of action, act like a man of thought." Henri Bergson
Richard Megginson
2005-Nov-11 03:57 UTC
Re: [Fedora-directory-users] How to ldapsearch password expiration data?
Vsevolod (Simon) Ilyushchenko wrote:> Rich, > > Thanks - I can see them now. > > However, now I have questions about the semantics of password > expiration. The NIS+ tables store the account (not password) > expiration date as the absolute day number (from year 0). I''m trying > to replicate these data in FDS. > > 1. First of all, I''m not sure that the password expiration feature > does the same thing. When the password expires, will the user be > prompted to change it or will he be locked out?It really depends on the application. I think FDS will send back some response controls related to password expiration. FDS also allows a configurable number of "grace logins" to allow the user to login specifically for the purpose of changing the password.> > 2. Second, I can''t even test it, because I can''t seem to force an > expiration. The passwordMaxAge attribute is the number of days after > which the password will expire. Well, it''s the number of days *since > when*? Since today? How is it updated then as the time goes by? Or > since the first logon? Where is it stored then?I think the console uses a minimum of 1 day, but in LDAP you can go down to the second, so that might make it easier to test. passwordMaxAge is the age since the password was created or last modified.> > I am truly missing something. The admin guide does not make it clear. > > Thanks, > Simon > > Richard Megginson wrote on 11/09/2005 06:18 PM: > >> Those attributes are operational, so you must explicitly ask for them >> on the ldapsearch command line e.g. >> ldapsearch -b >> ''cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu'' >> passwordMaxAge passwordWarning passwordMinAge passwordExp >> passwordGraceLimit >> >> In addition, ldapsubentry objects are hidden from normal searches. >> You must explicitly request objects of this type by adding the >> (objectclass=ldapsubentry) to your search filter e.g. >> ''(|(objectclass=*)(objectclass=ldapsubentry))'' >> to get all regular entries and sub entries, or just >> ''(objectclass=ldapsubentry)'' >> to get only the sub entry objects. > >
Vsevolod (Simon) Ilyushchenko
2005-Dec-06 18:31 UTC
Re: [Fedora-directory-users] How to ldapsearch password expiration data?
Hi, For future reference, I have to use the filter "(|(objectclass=ldapsubentry)(objectclass=passwordpolicy))", not just "(objectclass=ldapsubentry)". Simon Richard Megginson wrote on 11/09/2005 06:18 PM:> Those attributes are operational, so you must explicitly ask for them on > the ldapsearch command line e.g. > ldapsearch -b > ''cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu'' > passwordMaxAge passwordWarning passwordMinAge passwordExp > passwordGraceLimit > > In addition, ldapsubentry objects are hidden from normal searches. You > must explicitly request objects of this type by adding the > (objectclass=ldapsubentry) to your search filter e.g. > ''(|(objectclass=*)(objectclass=ldapsubentry))'' > to get all regular entries and sub entries, or just > ''(objectclass=ldapsubentry)'' > to get only the sub entry objects. > > Vsevolod (Simon) Ilyushchenko wrote: > >> Hi, >> >> I finally found where the password expiration data are located. If I >> do a database export from the GUI, I can see the entry: >> >> *** >> dn: >> cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu >> >> modifyTimestamp: 20051109200121Z >> modifiersName: >> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo >> t >> passwordMaxAge: 864000000 >> passwordWarning: 0 >> passwordMinAge: 0 >> passwordExp: on >> passwordGraceLimit: 0 >> objectClass: ldapsubentry >> objectClass: passwordpolicy >> objectClass: top >> cn: cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu >> creatorsName: >> uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot >> createTimestamp: 20051109200121Z >> nsUniqueId: 97b5d182-1dd111b2-80f8db9c-cc6f0000 >> *** >> >> However, if I ldapsearch -b >> ''cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu'' >> >> >> I''m not getting any subentries: >> >> *** >> # extended LDIF >> # >> # LDAPv3 >> # base >> <cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu> >> with scope sub >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # search result >> search: 3 >> result: 0 Success >> *** >> >> I''ve tried connecting both as "cn=Manager" and "uid=admin". >> >> Is there a way to access these data programmatically using ldapsearch? >> >> Thanks, >> Simon >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users-- Simon (Vsevolod ILyushchenko) simonf@cshl.edu http://www.simonf.com "Think like a man of action, act like a man of thought." Henri Bergson