HPE Community
Operating System - HP-UX
1820098 Members
3671 Online
109608 Solutions
New Discussion юеВ

HP LDAP Query

 
SOLVED
Go to solution
Aneesh Mohan
Honored Contributor

тАО12-23-2010 11:09 PM

тАО12-23-2010 11:09 PM

HP LDAP Query

I have implemented HPDS 8.10.03 for Account/Password management.

We need to query users account status to check last succesfull/unsuccesfull login time , Password status , Expiration Time etc like the similar to the Trusted System.

hpus52^root:/opt/cfg2html > /usr/lbin/getprpw root
uid=0, bootpw=YES, audid=0, audflg=1, mintm=0, maxpwln=-1, exptm=0, lftm=0, spwchg=Wed Dec 1 15:37:03 2010, upwchg=Wed Dec 1 15:36:33 2010, acctexp=-1, llog=0, expwarn=0, usrpick=DFT, syspnpw=DFT, rstrpw=DFT, nullpw=DFT, admnum=-1, syschpw=DFT, sysltpw=DFT, timeod=-1, slogint=Thu Dec 23 21:03:44 2010, ulogint=Mon Dec 20 11:07:05 2010, sloginy=-1, culogin=-1, uloginy=-1, umaxlntr=0, alock=NO, lockout=0000000

How Can I get it the similar account status for LDAP account ?

I can do LDAP search but I am getting only limited attribute , I am in process of migrating the users to LDAP , may be I may need to include any classes/attributes to do this. Please let me know if you find anything тАжтАж

#ldapsearch -h xxxx -D "cn=dsadmin" -w - -b "ou=People,ou=Prod,o=xxxx.com" "uid=sysadmin"
Enter bind password:
version: 1
dn: uid=sysadmin,ou=People,ou=Prod,o=alahli.com
userPassword: {SSHA}aIPQyEX6qLPxGTey+gQcBEVySFuPYFNAU69viA==
uid: sysadmin
cn: sysadmin
objectClass: top
objectClass: account
objectClass: posixAccount
loginShell: /usr/bin/sh
uidNumber: 128
gidNumber: 20



0 Kudos
Reply
2 REPLIES 2
Matti_Kurkela
Honored Contributor

тАО12-25-2010 06:12 AM

тАО12-25-2010 06:12 AM

Solution

Re: HP LDAP Query

To find the last successful/unsuccessful login times _for a particular system_, you can use the "last" and "lastb" commands on that server.

Last successful logins by "sysadmin" on current host:
last sysadmin |more

Last unsuccessful logins by "sysadmin" on current host:
lastb sysadmin |more

To check the last login times for the user on _any system governed by your LDAP directory_, you'll have to be using the password policy plug-in of the HPDS. You also must have either a) configured a password policy that is applicable to the user, or b) must have set the alwaysRecordLogin attribute at cn=config,cn=Account Policy Plugin,cn=plugins,cn=config to "yes". The HPDS will maintain records of last login times only if these conditions are fulfilled.

For the rest of your questions, see chapter 7.1 (Managing the Password Policy) in the HPDS Administration Guide:

http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c02035197/c02035197.pdf (page 293 and onward)

See also Chapter 4 of the HPDS Schema Reference:
http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c02035207/c02035207.pdf

Things like password status and expiration times are "operational attributes" for HPDS, and ldapsearch will return them only if you specifically request them.

For example, to see if an account is locked, query for the attribute "nsAccountLock". For example:

#ldapsearch -h xxxx -D "cn=dsadmin" -w - -b "ou=People,ou=Prod,o=xxxx.com" "uid=sysadmin" nsAccountLock

You might get all the operational attributes at once by specifying "+" as the attributes:

#ldapsearch -h xxxx -D "cn=dsadmin" -w - -b "ou=People,ou=Prod,o=xxxx.com" "uid=sysadmin" +

MK
MK
Reply
Aneesh Mohan
Honored Contributor

тАО01-07-2011 01:20 AM

тАО01-07-2011 01:20 AM

Re: HP LDAP Query


Dear MK,
Thanks for that ..

We identified another issues,

1) The admin changes the account passwd using ldappasswd, or console, this will lead to update the account expiration time to 0 (1970010100000) reset the retry cont to 0, and set the passwordcanchange to present but will not change the accountunlocktime which still pointing in the future.
2) When the user logs in on some system will be denied (wrong behavior) on some other system user will be prompted to change the password (correct behavior)


Aneesh
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.