On pe, 26 maalis 2021, Stephen Berg, Code 7309 via FreeIPA-users wrote:
Is there a way to use an ldapsearch to get the current value in the
password expiration field? I can quickly get a list of users but
haven't been able to find how to list password expiration for a
particular user using ldapsearch. It shows up from "ipa user-show
<user> --all" so I thought I'd be able to ldapsearch for it also.
You should be able to get the same over LDAP. In general, to map IPA CLI
output attributes to LDAP attributes use -show command with '--all --raw'
to see what attribute is that (krbPasswordExpiration) and ask for it.
A bit of nicer approach is to use param commands:
$ LANG=C ipa param-find user expiration
Name: krbprincipalexpiration
Type: datetime
Required: False
Label: Kerberos principal expiration
Name: krbpasswordexpiration
Type: datetime
Required: False
Label: User password expiration
----------------------------
Number of entries returned 2
----------------------------
So, there are two parameters with expiration mentioned in the name/label.
There is a pre-defined ACI that allows to read these attributes for any
authenticated users:
aci: (targetattr = "krbcanonicalname || krblastpwdchange ||
krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration
|| krbprincipalname || krbprincipaltype || nsaccountlock")(targetfilter
= "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read
User Kerberos Attributes";allow (compare,read,search) userdn =
"ldap:///all";)
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland