System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Query ldap user password aging details

SOLVED
Go to solution
skt_skt
Honored Contributor

Query ldap user password aging details


RHEL as servers with 2.4 and 2.6 kerenel

I am looking to find the last password change for an ldap user. How can i query that in ldap?

I always use getprpw or chage which is not useful in this context.
10 REPLIES
kevin_m
Valued Contributor

Re: Query ldap user password aging details

One of my colleagues set this up in HP-UX using a 3rd party tool.
http://docs.sun.com/source/816-6400-10/lsearch.html
Allegedly it works for Red Hat as well but we haven't implemented LDAP authentication on Linux. Attached are some excerpts from a script (again, HP-UX) to obtain the password change date.

- Kevin
Ivan Ferreira
Honored Contributor

Re: Query ldap user password aging details

I would use for example:

ldapsearch -x -D "cn=Directory Manager" -b dc=domain,dc=com -H ldaps://server.domain.com -W objectclass=posixAccount shadowLastChange

Ensure to specify a BIND DN with enough privileges to read the attributes.

Then you can convert to localtime using perl the returned value:

perl -e 'print scalar localtime(12011),"\n"'
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ivan Ferreira
Honored Contributor

Re: Query ldap user password aging details

Remember that the user object must have the shadowAccount objectclass.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Heironimus
Honored Contributor

Re: Query ldap user password aging details

If you're using pam_ldap for authentication (as you should be) then everything is based on the LDAP password and you'll want to check how your LDAP server stores that metadata.
Ivan Ferreira
Honored Contributor

Re: Query ldap user password aging details

Your query returned an posixGroup object.

Change your query to:

ldapsearch -x -ZZ -LLL -b dc=xxxx,dc=com objectClass=posixAccount

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Andrea Rossi
Frequent Advisor

Re: Query ldap user password aging details

Hi
whatever the db is (passwd, ldap, etc) the native samba command is:
pdbedit -P "minimum password age"
(see man pages for detail)

Ivan Ferreira
Honored Contributor

Re: Query ldap user password aging details

What do you get if you run?:

ldapsearch -x -ZZ -LLL -b dc=alcoa.com,dc=com objectClass=*

You should see all your objects. Do you already have uses created?
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ivan Ferreira
Honored Contributor

Re: Query ldap user password aging details

Your base search is not correct, it should be:

ldapsearch -x -ZZ -LLL -b dc=alcoa,dc=com objectClass=*

I told you to run the wrong command before, the dc=alcoa.com should be dc=alcoa,dc=com.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ivan Ferreira
Honored Contributor
Solution

Re: Query ldap user password aging details

>>> as i can see shadowLastChange is there for some account not for all. am i right?

This is because, just some of the accounts, have the shadowAccount objectclass on it. Your user creation tool should allow you to specify this.

Please, download install and configure ldapadmin.exe (for windows). This is a super-easy tool to create and modify users attributes, including shadow options.

>>> Also i did not undertstand how to convert the "shadowLastChange: 14348" to a date.

The procedure is correct, and the date returned is the default date, meaning that the value was not modified.

" Authentication requires access to password field, that should be not accessible by default. Annother issue is that during password change using passwd shadowLastChange needs to be accessible as well. Following code shows example ACL setting that permits access to shadowLastChange:

access to attr=shadowLastChange
by dn="cn=manager,dc=example,dc=com" write
by self write
by * read
"


Reference:

https://help.ubuntu.com/7.04/server/C/openldap-server.html
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Graham Pooler
Occasional Visitor

Re: Query ldap user password aging details

The perl command requires the time in seconds. Multiplying 14348 by 86400 gives a date of Apr 14 2009.