Re: Query ldap user password aging details

SOLVED

RHEL as servers with 2.4 and 2.6 kerenel

I am looking to find the last password change for an ldap user. How can i query that in ldap?

I always use getprpw or chage which is not useful in this context.

10 REPLIES 10

One of my colleagues set this up in HP-UX using a 3rd party tool.
http://docs.sun.com/source/816-6400-10/lsearch.html
Allegedly it works for Red Hat as well but we haven't implemented LDAP authentication on Linux. Attached are some excerpts from a script (again, HP-UX) to obtain the password change date.

- Kevin

I would use for example:

ldapsearch -x -D "cn=Directory Manager" -b dc=domain,dc=com -H ldaps://server.domain.com -W objectclass=posixAccount shadowLastChange

Ensure to specify a BIND DN with enough privileges to read the attributes.

Then you can convert to localtime using perl the returned value:

perl -e 'print scalar localtime(12011),"\n"'

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Remember that the user object must have the shadowAccount objectclass.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

If you're using pam_ldap for authentication (as you should be) then everything is based on the LDAP password and you'll want to check how your LDAP server stores that metadata.

Your query returned an posixGroup object.

Change your query to:

ldapsearch -x -ZZ -LLL -b dc=xxxx,dc=com objectClass=posixAccount

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Hi
whatever the db is (passwd, ldap, etc) the native samba command is:
pdbedit -P "minimum password age"
(see man pages for detail)

What do you get if you run?:

ldapsearch -x -ZZ -LLL -b dc=alcoa.com,dc=com objectClass=*

You should see all your objects. Do you already have uses created?

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

Your base search is not correct, it should be:

ldapsearch -x -ZZ -LLL -b dc=alcoa,dc=com objectClass=*

I told you to run the wrong command before, the dc=alcoa.com should be dc=alcoa,dc=com.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

>>> as i can see shadowLastChange is there for some account not for all. am i right?

This is because, just some of the accounts, have the shadowAccount objectclass on it. Your user creation tool should allow you to specify this.

Please, download install and configure ldapadmin.exe (for windows). This is a super-easy tool to create and modify users attributes, including shadow options.

>>> Also i did not undertstand how to convert the "shadowLastChange: 14348" to a date.

The procedure is correct, and the date returned is the default date, meaning that the value was not modified.

" Authentication requires access to password field, that should be not accessible by default. Annother issue is that during password change using passwd shadowLastChange needs to be accessible as well. Following code shows example ACL setting that permits access to shadowLastChange:

access to attr=shadowLastChange
by dn="cn=manager,dc=example,dc=com" write
by self write
by * read
"

Reference:

https://help.ubuntu.com/7.04/server/C/openldap-server.html

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?

The perl command requires the time in seconds. Multiplying 14348 by 86400 gives a date of Apr 14 2009.