Rowland Penny
2017-Mar-26 18:53 UTC
[Samba] Users list and the date the password will expire
On Sun, 26 Mar 2017 14:32:53 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> as root: > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -s sub > "(&(sAMAccountType=805306368)(sAMAccountName=mark))" > msDS-UserPasswordExpiryTimeComputed > > search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: > Operation unavailable without authentication> <> > > When I added `-U user%pass` it worked. I don't suppose there is a way > to NOT specify the password? I'd rather not have to propigate the > domain administrator's password among all the domain members (-N did > not work). > > Thanks --Mark >Sorry, forgot about the required authentication, try it with '-P' without '-U administrator' Rowland
On Sun, 26 Mar 2017 19:53:01 +0100 Rowland Penny wrote:> > On Sun, 26 Mar 2017 14:32:53 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > as root: > > > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -s sub > > "(&(sAMAccountType=805306368)(sAMAccountName=mark))" > > msDS-UserPasswordExpiryTimeComputed > > > > search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: > > Operation unavailable without authentication> <> > > > > When I added `-U user%pass` it worked. I don't suppose there is a way > > to NOT specify the password? I'd rather not have to propigate the > > domain administrator's password among all the domain members (-N did > > not work). > > > > Thanks --Mark > > > > Sorry, forgot about the required authentication, try it with '-P' > without '-U administrator' > > RowlandGreat! That did it. Final command: expireTime=`ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -P -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed` Thanks, --Mark
On Sun, 26 Mar 2017 19:31:48 -0400 Mark Foley wrote:> > On Sun, 26 Mar 2017 19:53:01 +0100 Rowland Penny wrote: > > > > On Sun, 26 Mar 2017 14:32:53 -0400 > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > > > as root: > > > > > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -s sub > > > "(&(sAMAccountType=805306368)(sAMAccountName=mark))" > > > msDS-UserPasswordExpiryTimeComputed > > > > > > search error - LDAP error 1 LDAP_OPERATIONS_ERROR - <00002020: > > > Operation unavailable without authentication> <> > > > > > > When I added `-U user%pass` it worked. I don't suppose there is a way > > > to NOT specify the password? I'd rather not have to propigate the > > > domain administrator's password among all the domain members (-N did > > > not work). > > > > > > Thanks --Mark > > > > > > > Sorry, forgot about the required authentication, try it with '-P' > > without '-U administrator' > > > > Rowland > > Great! That did it. Final command: > > ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -P -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed >Not quite where I need to be. The above with the -P option works on the domain member when logged in as root. I had planned on interecepting the lightDM login program to incorporate this, but in fact I have no idea what that is or where to find it. So, next idea is to run a script when the user logs in to inform him/her of a pending expiration. The -P option does not work for a non-root user. I can get the info I need using -U id%pw, but again, I'd need to have each user's password for this. Is there a way a user can run ldbsearch ... without specifying a password? Is ldbsearch the only way to get a user's expiryTime? Thanks, --Mark