On 02/28/2011 07:08 AM, Juan Asensio Sánchez wrote:
Is there any way to obtain the users with expired/expiring password?

Hi have activated the password policy, making the password expire
after X days, and warn them after X-10 days. Now, I want to create a
cron job to send an email to users warning them about its password
expiration. I know I can get that information about the user is
binding, but not for the users obtained from a search.

Filters are your friend.

To select passwords that have expired since midnight, you would use the following filter (using today's date Feb 28 2011):
"(passwordexpirationtime<=20110228000000Z)"

To select users with passwords expiring in the next 10 days (passwords expire between today at midnight AND Mar. 10 at midnight):
"(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z))"

You may need to add additional filter terms as well. The script that we use also filters out (excludes) inactive accounts (since we don't delete accounts from our directory.) Inactivated accounts in our directory all belong to a single group (and we have the group memberof plugin enabled):
"(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(! (memberOf=cn=inactivated,cn=account inactivation,cn=accounts,dc=domain,dc=com))))"

Depending on how your directory is designed, it might make more sense to eliminate users with the nsaccountlock attribute set to true:
"(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(! (nsaccountlock=true))))"