Showing results for 
Search instead for 
Did you mean: 


Go to solution
Aneesh Mohan
Honored Contributor


I have implemented HPDS 8.10.03 for Account/Password management.

We need to query users account status to check last succesfull/unsuccesfull login time , Password status , Expiration Time etc like the similar to the Trusted System.

hpus52^root:/opt/cfg2html > /usr/lbin/getprpw root
uid=0, bootpw=YES, audid=0, audflg=1, mintm=0, maxpwln=-1, exptm=0, lftm=0, spwchg=Wed Dec 1 15:37:03 2010, upwchg=Wed Dec 1 15:36:33 2010, acctexp=-1, llog=0, expwarn=0, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Thu Dec 23 21:03:44 2010, ulogint=Mon Dec 20 11:07:05 2010, sloginy=-1, culogin=-1, uloginy=-1, umaxlntr=0, alock=NO, lockout=0000000

How Can I get it the similar account status for LDAP account ?

I can do LDAP search but I am getting only limited attribute , I am in process of migrating the users to LDAP , may be I may need to include any classes/attributes to do this. Please let me know if you find anything ……

#ldapsearch -h xxxx -D "cn=dsadmin" -w - -b "ou=People,ou=Prod," "uid=sysadmin"
Enter bind password:
version: 1
dn: uid=sysadmin,ou=People,ou=Prod,
userPassword: {SSHA}aIPQyEX6qLPxGTey+gQcBEVySFuPYFNAU69viA==
uid: sysadmin
cn: sysadmin
objectClass: top
objectClass: account
objectClass: posixAccount
loginShell: /usr/bin/sh
uidNumber: 128
gidNumber: 20

Honored Contributor

Re: HP LDAP Query

To find the last successful/unsuccessful login times _for a particular system_, you can use the "last" and "lastb" commands on that server.

Last successful logins by "sysadmin" on current host:
last sysadmin |more

Last unsuccessful logins by "sysadmin" on current host:
lastb sysadmin |more

To check the last login times for the user on _any system governed by your LDAP directory_, you'll have to be using the password policy plug-in of the HPDS. You also must have either a) configured a password policy that is applicable to the user, or b) must have set the alwaysRecordLogin attribute at cn=config,cn=Account Policy Plugin,cn=plugins,cn=config to "yes". The HPDS will maintain records of last login times only if these conditions are fulfilled.

For the rest of your questions, see chapter 7.1 (Managing the Password Policy) in the HPDS Administration Guide: (page 293 and onward)

See also Chapter 4 of the HPDS Schema Reference:

Things like password status and expiration times are "operational attributes" for HPDS, and ldapsearch will return them only if you specifically request them.

For example, to see if an account is locked, query for the attribute "nsAccountLock". For example:

#ldapsearch -h xxxx -D "cn=dsadmin" -w - -b "ou=People,ou=Prod," "uid=sysadmin" nsAccountLock

You might get all the operational attributes at once by specifying "+" as the attributes:

#ldapsearch -h xxxx -D "cn=dsadmin" -w - -b "ou=People,ou=Prod," "uid=sysadmin" +

Aneesh Mohan
Honored Contributor

Re: HP LDAP Query

Dear MK,
Thanks for that ..

We identified another issues,

1) The admin changes the account passwd using ldappasswd, or console, this will lead to update the account expiration time to 0 (1970010100000) reset the retry cont to 0, and set the passwordcanchange to present but will not change the accountunlocktime which still pointing in the future.
2) When the user logs in on some system will be denied (wrong behavior) on some other system user will be prompted to change the password (correct behavior)