topic Re: Query ldap user password aging details in Operating System - Linux

Query ldap user password aging details

skt_skt — Tue, 19 May 2009 23:50:18 GMT

RHEL as servers with 2.4 and 2.6 kerenel

I am looking to find the last password change for an ldap user. How can i query that in ldap?

I always use getprpw or chage which is not useful in this context.

Re: Query ldap user password aging details

kevin_m — Wed, 20 May 2009 11:44:06 GMT

One of my colleagues set this up in HP-UX using a 3rd party tool.
http://docs.sun.com/source/816-6400-10/lsearch.html
Allegedly it works for Red Hat as well but we haven't implemented LDAP authentication on Linux. Attached are some excerpts from a script (again, HP-UX) to obtain the password change date.

- Kevin

Re: Query ldap user password aging details

Ivan Ferreira — Wed, 20 May 2009 13:26:44 GMT

I would use for example:

ldapsearch -x -D "cn=Directory Manager" -b dc=domain,dc=com -H ldaps://server.domain.com -W objectclass=posixAccount shadowLastChange

Ensure to specify a BIND DN with enough privileges to read the attributes.

Then you can convert to localtime using perl the returned value:

perl -e 'print scalar localtime(12011),"\n"'

Re: Query ldap user password aging details

Ivan Ferreira — Wed, 20 May 2009 13:33:22 GMT

Remember that the user object must have the shadowAccount objectclass.

Re: Query ldap user password aging details

Heironimus — Wed, 20 May 2009 17:30:58 GMT

If you're using pam_ldap for authentication (as you should be) then everything is based on the LDAP password and you'll want to check how your LDAP server stores that metadata.

Re: Query ldap user password aging details

Ivan Ferreira — Wed, 20 May 2009 17:32:48 GMT

Your query returned an posixGroup object.

Change your query to:

ldapsearch -x -ZZ -LLL -b dc=xxxx,dc=com objectClass=posixAccount

Re: Query ldap user password aging details

Andrea Rossi — Thu, 21 May 2009 06:38:45 GMT

Hi
whatever the db is (passwd, ldap, etc) the native samba command is:
pdbedit -P "minimum password age"
(see man pages for detail)

Re: Query ldap user password aging details

Ivan Ferreira — Thu, 21 May 2009 12:57:12 GMT

What do you get if you run?:

ldapsearch -x -ZZ -LLL -b dc=alcoa.com,dc=com objectClass=*

You should see all your objects. Do you already have uses created?

Re: Query ldap user password aging details

Ivan Ferreira — Thu, 21 May 2009 19:14:33 GMT

Your base search is not correct, it should be:

ldapsearch -x -ZZ -LLL -b dc=alcoa,dc=com objectClass=*

I told you to run the wrong command before, the dc=alcoa.com should be dc=alcoa,dc=com.

Re: Query ldap user password aging details

Ivan Ferreira — Fri, 22 May 2009 14:28:22 GMT

>>> as i can see shadowLastChange is there for some account not for all. am i right?

This is because, just some of the accounts, have the shadowAccount objectclass on it. Your user creation tool should allow you to specify this.

Please, download install and configure ldapadmin.exe (for windows). This is a super-easy tool to create and modify users attributes, including shadow options.

>>> Also i did not undertstand how to convert the "shadowLastChange: 14348" to a date.

The procedure is correct, and the date returned is the default date, meaning that the value was not modified.

" Authentication requires access to password field, that should be not accessible by default. Annother issue is that during password change using passwd shadowLastChange needs to be accessible as well. Following code shows example ACL setting that permits access to shadowLastChange:

access to attr=shadowLastChange
by dn="cn=manager,dc=example,dc=com" write
by self write
by * read
"

Reference:

https://help.ubuntu.com/7.04/server/C/openldap-server.html

Re: Query ldap user password aging details

Graham Pooler — Thu, 02 Jul 2009 09:17:19 GMT

The perl command requires the time in seconds. Multiplying 14348 by 86400 gives a date of Apr 14 2009.