Hi
Is there any way to obtain the users with expired/expiring password?
Hi have activated the password policy, making the password expire after X days, and warn them after X-10 days. Now, I want to create a cron job to send an email to users warning them about its password expiration. I know I can get that information about the user is binding, but not for the users obtained from a search.
Thanks in advance.
On 02/28/2011 07:08 AM, Juan Asensio Sánchez wrote:
Is there any way to obtain the users with expired/expiring password?
Hi have activated the password policy, making the password expire after X days, and warn them after X-10 days. Now, I want to create a cron job to send an email to users warning them about its password expiration. I know I can get that information about the user is binding, but not for the users obtained from a search.
Filters are your friend.
To select passwords that have expired since midnight, you would use the following filter (using today's date Feb 28 2011): "(passwordexpirationtime<=20110228000000Z)"
To select users with passwords expiring in the next 10 days (passwords expire between today at midnight AND Mar. 10 at midnight): "(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z))"
You may need to add additional filter terms as well. The script that we use also filters out (excludes) inactive accounts (since we don't delete accounts from our directory.) Inactivated accounts in our directory all belong to a single group (and we have the group memberof plugin enabled): "(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(! (memberOf=cn=inactivated,cn=account inactivation,cn=accounts,dc=domain,dc=com))))"
Depending on how your directory is designed, it might make more sense to eliminate users with the nsaccountlock attribute set to true: "(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(! (nsaccountlock=true))))"
Hi
Thanks for the answer, but my users don't have the attribute passwordexpirationtime, because this attribute is not generated until the user login after the activation of the account/password policies.
Reading, I have seen that when a user binds to the server, the server returns some controls indicating the expiring/expired password, if in case. But I can not bind with the user as I don't have it's password, so I can not get the controls that would return a bind with its user. Could I simulate this using a proxy auth, ie, binding as Directory Manager, but simulating a login of the user? Would this need some special ACI? I am a bit lost...
Thanks in advance.
2011/2/28 James Roman james.roman@ssaihq.com:
On 02/28/2011 07:08 AM, Juan Asensio Sánchez wrote:
Is there any way to obtain the users with expired/expiring password?
Hi have activated the password policy, making the password expire after X days, and warn them after X-10 days. Now, I want to create a cron job to send an email to users warning them about its password expiration. I know I can get that information about the user is binding, but not for the users obtained from a search.
Filters are your friend.
To select passwords that have expired since midnight, you would use the following filter (using today's date Feb 28 2011): "(passwordexpirationtime<=20110228000000Z)"
To select users with passwords expiring in the next 10 days (passwords expire between today at midnight AND Mar. 10 at midnight): "(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z))"
You may need to add additional filter terms as well. The script that we use also filters out (excludes) inactive accounts (since we don't delete accounts from our directory.) Inactivated accounts in our directory all belong to a single group (and we have the group memberof plugin enabled): "(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(! (memberOf=cn=inactivated,cn=account inactivation,cn=accounts,dc=domain,dc=com))))"
Depending on how your directory is designed, it might make more sense to eliminate users with the nsaccountlock attribute set to true: "(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(! (nsaccountlock=true))))"
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
On 03/16/2011 06:45 AM, Juan Asensio Sánchez wrote:
Hi
Thanks for the answer, but my users don't have the attribute passwordexpirationtime, because this attribute is not generated until the user login after the activation of the account/password policies.
Reading, I have seen that when a user binds to the server, the server returns some controls indicating the expiring/expired password, if in case. But I can not bind with the user as I don't have it's password, so I can not get the controls that would return a bind with its user. Could I simulate this using a proxy auth, ie, binding as Directory Manager, but simulating a login of the user? Would this need some special ACI? I am a bit lost...
I suppose you could use createTimestamp if passwordexpirationtime is not present.
Thanks in advance.
2011/2/28 James Romanjames.roman@ssaihq.com:
On 02/28/2011 07:08 AM, Juan Asensio Sánchez wrote:
Is there any way to obtain the users with expired/expiring password?
Hi have activated the password policy, making the password expire after X days, and warn them after X-10 days. Now, I want to create a cron job to send an email to users warning them about its password expiration. I know I can get that information about the user is binding, but not for the users obtained from a search.
Filters are your friend.
To select passwords that have expired since midnight, you would use the following filter (using today's date Feb 28 2011): "(passwordexpirationtime<=20110228000000Z)"
To select users with passwords expiring in the next 10 days (passwords expire between today at midnight AND Mar. 10 at midnight): "(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z))"
You may need to add additional filter terms as well. The script that we use also filters out (excludes) inactive accounts (since we don't delete accounts from our directory.) Inactivated accounts in our directory all belong to a single group (and we have the group memberof plugin enabled): "(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(! (memberOf=cn=inactivated,cn=account inactivation,cn=accounts,dc=domain,dc=com))))"
Depending on how your directory is designed, it might make more sense to eliminate users with the nsaccountlock attribute set to true: "(&(&(passwordexpirationtime<=20110228000000Z)(passwordexpirationtime>=20110310000000Z)(! (nsaccountlock=true))))"
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org
-
James Roman -
Juan Asensio Sánchez -
Rich Megginson