HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: HP LDAP Query
Operating System - HP-UX
        1839275
        Members
    
    
        2610
        Online
    
    
        110138
        Solutions
    
Forums
        Categories
Company
Local Language
                
                  
                  back
                
        
                
        
                
        
                
        
        
        
                
        
                
        
        
        
                
        
              
              Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
                
                  
                  back
                
            
                
            
                
            
                
            
                
            
                
            
                
            
                
            
                
            
                
            
                
            
                
            
                
            
                
            
                
            
                
            
                
            
            
                
            
                
            
                
            
                
            
            
                
            
                
            
            
                
            
                
              
            Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
        Information
        Community
Resources
Community Language
        Language
        Forums
Blogs
	
		
			
            
                
            Go to solution
        
            
		
		
			
            	
	
		
        
		
	
	
		Topic Options
			
				
					
	
			
		
	- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-23-2010 11:09 PM
12-23-2010 11:09 PM
			
				
					
					
						I have implemented HPDS 8.10.03 for Account/Password management.
We need to query users account status to check last succesfull/unsuccesfull login time , Password status , Expiration Time etc like the similar to the Trusted System.
hpus52^root:/opt/cfg2html > /usr/lbin/getprpw root
uid=0, bootpw=YES, audid=0, audflg=1, mintm=0, maxpwln=-1, exptm=0, lftm=0, spwchg=Wed Dec 1 15:37:03 2010, upwchg=Wed Dec 1 15:36:33 2010, acctexp=-1, llog=0, expwarn=0, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Thu Dec 23 21:03:44 2010, ulogint=Mon Dec 20 11:07:05 2010, sloginy=-1, culogin=-1, uloginy=-1, umaxlntr=0, alock=NO, lockout=0000000
How Can I get it the similar account status for LDAP account ?
I can do LDAP search but I am getting only limited attribute , I am in process of migrating the users to LDAP , may be I may need to include any classes/attributes to do this. Please let me know if you find anything ……
#ldapsearch -h xxxx -D "cn=dsadmin" -w - -b "ou=People,ou=Prod,o=xxxx.com" "uid=sysadmin"
Enter bind password:
version: 1
dn: uid=sysadmin,ou=People,ou=Prod,o=alahli.com
userPassword: {SSHA}aIPQyEX6qLPxGTey+gQcBEVySFuPYFNAU69viA==
uid: sysadmin
cn: sysadmin
objectClass: top
objectClass: account
objectClass: posixAccount
loginShell: /usr/bin/sh
uidNumber: 128
gidNumber: 20
					
				
			
			
				
			
			
				
	
			
				
		
			
			
			
			
			
			
		
		
		
	
	
	
We need to query users account status to check last succesfull/unsuccesfull login time , Password status , Expiration Time etc like the similar to the Trusted System.
hpus52^root:/opt/cfg2html > /usr/lbin/getprpw root
uid=0, bootpw=YES, audid=0, audflg=1, mintm=0, maxpwln=-1, exptm=0, lftm=0, spwchg=Wed Dec 1 15:37:03 2010, upwchg=Wed Dec 1 15:36:33 2010, acctexp=-1, llog=0, expwarn=0, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Thu Dec 23 21:03:44 2010, ulogint=Mon Dec 20 11:07:05 2010, sloginy=-1, culogin=-1, uloginy=-1, umaxlntr=0, alock=NO, lockout=0000000
How Can I get it the similar account status for LDAP account ?
I can do LDAP search but I am getting only limited attribute , I am in process of migrating the users to LDAP , may be I may need to include any classes/attributes to do this. Please let me know if you find anything ……
#ldapsearch -h xxxx -D "cn=dsadmin" -w - -b "ou=People,ou=Prod,o=xxxx.com" "uid=sysadmin"
Enter bind password:
version: 1
dn: uid=sysadmin,ou=People,ou=Prod,o=alahli.com
userPassword: {SSHA}aIPQyEX6qLPxGTey+gQcBEVySFuPYFNAU69viA==
uid: sysadmin
cn: sysadmin
objectClass: top
objectClass: account
objectClass: posixAccount
loginShell: /usr/bin/sh
uidNumber: 128
gidNumber: 20
Solved! Go to Solution.
		2 REPLIES 2
	
	            
            
		
		
			
            
                - Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-25-2010 06:12 AM
12-25-2010 06:12 AM
Solution
			
				
					
					
						To find the last successful/unsuccessful login times _for a particular system_, you can use the "last" and "lastb" commands on that server.
Last successful logins by "sysadmin" on current host:
last sysadmin |more
Last unsuccessful logins by "sysadmin" on current host:
lastb sysadmin |more
To check the last login times for the user on _any system governed by your LDAP directory_, you'll have to be using the password policy plug-in of the HPDS. You also must have either a) configured a password policy that is applicable to the user, or b) must have set the alwaysRecordLogin attribute at cn=config,cn=Account Policy Plugin,cn=plugins,cn=config to "yes". The HPDS will maintain records of last login times only if these conditions are fulfilled.
For the rest of your questions, see chapter 7.1 (Managing the Password Policy) in the HPDS Administration Guide:
http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c02035197/c02035197.pdf (page 293 and onward)
See also Chapter 4 of the HPDS Schema Reference:
http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c02035207/c02035207.pdf
Things like password status and expiration times are "operational attributes" for HPDS, and ldapsearch will return them only if you specifically request them.
For example, to see if an account is locked, query for the attribute "nsAccountLock". For example:
#ldapsearch -h xxxx -D "cn=dsadmin" -w - -b "ou=People,ou=Prod,o=xxxx.com" "uid=sysadmin" nsAccountLock
You might get all the operational attributes at once by specifying "+" as the attributes:
#ldapsearch -h xxxx -D "cn=dsadmin" -w - -b "ou=People,ou=Prod,o=xxxx.com" "uid=sysadmin" +
MK
		
		
	
	
	
Last successful logins by "sysadmin" on current host:
last sysadmin |more
Last unsuccessful logins by "sysadmin" on current host:
lastb sysadmin |more
To check the last login times for the user on _any system governed by your LDAP directory_, you'll have to be using the password policy plug-in of the HPDS. You also must have either a) configured a password policy that is applicable to the user, or b) must have set the alwaysRecordLogin attribute at cn=config,cn=Account Policy Plugin,cn=plugins,cn=config to "yes". The HPDS will maintain records of last login times only if these conditions are fulfilled.
For the rest of your questions, see chapter 7.1 (Managing the Password Policy) in the HPDS Administration Guide:
http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c02035197/c02035197.pdf (page 293 and onward)
See also Chapter 4 of the HPDS Schema Reference:
http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c02035207/c02035207.pdf
Things like password status and expiration times are "operational attributes" for HPDS, and ldapsearch will return them only if you specifically request them.
For example, to see if an account is locked, query for the attribute "nsAccountLock". For example:
#ldapsearch -h xxxx -D "cn=dsadmin" -w - -b "ou=People,ou=Prod,o=xxxx.com" "uid=sysadmin" nsAccountLock
You might get all the operational attributes at once by specifying "+" as the attributes:
#ldapsearch -h xxxx -D "cn=dsadmin" -w - -b "ou=People,ou=Prod,o=xxxx.com" "uid=sysadmin" +
MK
	MK
			
			
				
			
			
			
			
			
			
		- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-07-2011 01:20 AM
01-07-2011 01:20 AM
			
				
					
						
							Re: HP LDAP Query
						
					
					
				
			
		
	
			
	
	
	
	
	
Dear MK,
Thanks for that ..
We identified another issues,
1) The admin changes the account passwd using ldappasswd, or console, this will lead to update the account expiration time to 0 (1970010100000) reset the retry cont to 0, and set the passwordcanchange to present but will not change the accountunlocktime which still pointing in the future.
2) When the user logs in on some system will be denied (wrong behavior) on some other system user will be prompted to change the password (correct behavior)
Aneesh
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
		
	
	
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP