Hi,
I finally found where the password expiration data are located. If I do a database export from the GUI, I can see the entry:
*** dn: cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu modifyTimestamp: 20051109200121Z modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo t passwordMaxAge: 864000000 passwordWarning: 0 passwordMinAge: 0 passwordExp: on passwordGraceLimit: 0 objectClass: ldapsubentry objectClass: passwordpolicy objectClass: top cn: cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot createTimestamp: 20051109200121Z nsUniqueId: 97b5d182-1dd111b2-80f8db9c-cc6f0000 ***
However, if I ldapsearch -b 'cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu'
I'm not getting any subentries:
*** # extended LDIF # # LDAPv3 # base <cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu> with scope sub # filter: (objectclass=*) # requesting: ALL #
# search result search: 3 result: 0 Success ***
I've tried connecting both as "cn=Manager" and "uid=admin".
Is there a way to access these data programmatically using ldapsearch?
Thanks, Simon
Those attributes are operational, so you must explicitly ask for them on the ldapsearch command line e.g. ldapsearch -b 'cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu' passwordMaxAge passwordWarning passwordMinAge passwordExp passwordGraceLimit
In addition, ldapsubentry objects are hidden from normal searches. You must explicitly request objects of this type by adding the (objectclass=ldapsubentry) to your search filter e.g. '(|(objectclass=*)(objectclass=ldapsubentry))' to get all regular entries and sub entries, or just '(objectclass=ldapsubentry)' to get only the sub entry objects.
Vsevolod (Simon) Ilyushchenko wrote:
Hi,
I finally found where the password expiration data are located. If I do a database export from the GUI, I can see the entry:
dn: cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu
modifyTimestamp: 20051109200121Z modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo t passwordMaxAge: 864000000 passwordWarning: 0 passwordMinAge: 0 passwordExp: on passwordGraceLimit: 0 objectClass: ldapsubentry objectClass: passwordpolicy objectClass: top cn: cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot createTimestamp: 20051109200121Z nsUniqueId: 97b5d182-1dd111b2-80f8db9c-cc6f0000
However, if I ldapsearch -b 'cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu'
I'm not getting any subentries:
# extended LDIF # # LDAPv3 # base <cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu> with scope sub # filter: (objectclass=*) # requesting: ALL #
# search result search: 3 result: 0 Success
I've tried connecting both as "cn=Manager" and "uid=admin".
Is there a way to access these data programmatically using ldapsearch?
Thanks, Simon
Rich,
Thanks - I can see them now.
However, now I have questions about the semantics of password expiration. The NIS+ tables store the account (not password) expiration date as the absolute day number (from year 0). I'm trying to replicate these data in FDS.
1. First of all, I'm not sure that the password expiration feature does the same thing. When the password expires, will the user be prompted to change it or will he be locked out?
2. Second, I can't even test it, because I can't seem to force an expiration. The passwordMaxAge attribute is the number of days after which the password will expire. Well, it's the number of days *since when*? Since today? How is it updated then as the time goes by? Or since the first logon? Where is it stored then?
I am truly missing something. The admin guide does not make it clear.
Thanks, Simon
Richard Megginson wrote on 11/09/2005 06:18 PM:
Those attributes are operational, so you must explicitly ask for them on the ldapsearch command line e.g. ldapsearch -b 'cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu' passwordMaxAge passwordWarning passwordMinAge passwordExp passwordGraceLimit
In addition, ldapsubentry objects are hidden from normal searches. You must explicitly request objects of this type by adding the (objectclass=ldapsubentry) to your search filter e.g. '(|(objectclass=*)(objectclass=ldapsubentry))' to get all regular entries and sub entries, or just '(objectclass=ldapsubentry)' to get only the sub entry objects.
Vsevolod (Simon) Ilyushchenko wrote:
Rich,
Thanks - I can see them now.
However, now I have questions about the semantics of password expiration. The NIS+ tables store the account (not password) expiration date as the absolute day number (from year 0). I'm trying to replicate these data in FDS.
- First of all, I'm not sure that the password expiration feature
does the same thing. When the password expires, will the user be prompted to change it or will he be locked out?
It really depends on the application. I think FDS will send back some response controls related to password expiration. FDS also allows a configurable number of "grace logins" to allow the user to login specifically for the purpose of changing the password.
- Second, I can't even test it, because I can't seem to force an
expiration. The passwordMaxAge attribute is the number of days after which the password will expire. Well, it's the number of days *since when*? Since today? How is it updated then as the time goes by? Or since the first logon? Where is it stored then?
I think the console uses a minimum of 1 day, but in LDAP you can go down to the second, so that might make it easier to test. passwordMaxAge is the age since the password was created or last modified.
I am truly missing something. The admin guide does not make it clear.
Thanks, Simon
Richard Megginson wrote on 11/09/2005 06:18 PM:
Those attributes are operational, so you must explicitly ask for them on the ldapsearch command line e.g. ldapsearch -b 'cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu' passwordMaxAge passwordWarning passwordMinAge passwordExp passwordGraceLimit
In addition, ldapsubentry objects are hidden from normal searches. You must explicitly request objects of this type by adding the (objectclass=ldapsubentry) to your search filter e.g. '(|(objectclass=*)(objectclass=ldapsubentry))' to get all regular entries and sub entries, or just '(objectclass=ldapsubentry)' to get only the sub entry objects.
Hi,
For future reference, I have to use the filter "(|(objectclass=ldapsubentry)(objectclass=passwordpolicy))", not just "(objectclass=ldapsubentry)".
Simon
Richard Megginson wrote on 11/09/2005 06:18 PM:
Those attributes are operational, so you must explicitly ask for them on the ldapsearch command line e.g. ldapsearch -b 'cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu' passwordMaxAge passwordWarning passwordMinAge passwordExp passwordGraceLimit
In addition, ldapsubentry objects are hidden from normal searches. You must explicitly request objects of this type by adding the (objectclass=ldapsubentry) to your search filter e.g. '(|(objectclass=*)(objectclass=ldapsubentry))' to get all regular entries and sub entries, or just '(objectclass=ldapsubentry)' to get only the sub entry objects.
Vsevolod (Simon) Ilyushchenko wrote:
Hi,
I finally found where the password expiration data are located. If I do a database export from the GUI, I can see the entry:
dn: cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu
modifyTimestamp: 20051109200121Z modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo t passwordMaxAge: 864000000 passwordWarning: 0 passwordMinAge: 0 passwordExp: on passwordGraceLimit: 0 objectClass: ldapsubentry objectClass: passwordpolicy objectClass: top cn: cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot createTimestamp: 20051109200121Z nsUniqueId: 97b5d182-1dd111b2-80f8db9c-cc6f0000
However, if I ldapsearch -b 'cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu'
I'm not getting any subentries:
# extended LDIF # # LDAPv3 # base <cn="cn=nsPwPolicyEntry,uid=ilyush,ou=People,dc=cshl,dc=edu",cn=nsPwPolicyContainer,ou=People,dc=cshl,dc=edu> with scope sub # filter: (objectclass=*) # requesting: ALL #
# search result search: 3 result: 0 Success
I've tried connecting both as "cn=Manager" and "uid=admin".
Is there a way to access these data programmatically using ldapsearch?
Thanks, Simon
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org