[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Not getting password expiry warnings on login

To: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
Subject: Re: Not getting password expiry warnings on login
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Wed, 31 Mar 2010 09:53:22 +0100
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <6C447584419BFE4E83D46E88F81314862FAEC3553C@EXCH07-05.apollogrp.edu>
References: <6C447584419BFE4E83D46E88F81314862FAEC349EB@EXCH07-05.apollogrp.edu> <201003301156.37666.bgmilne@staff.telkomsa.net> <6C447584419BFE4E83D46E88F81314862FAEC3553C@EXCH07-05.apollogrp.edu>
User-agent: KMail/1.12.2 (Linux/2.6.31.12-desktop-1mnb; KDE/4.3.2; x86_64; ; )

On Tuesday, 30 March 2010 19:50:15 Chris Jacobs wrote:
> I haven't had any success adding pwdChangedTime to accounts - and it seems
>  you've assisted others with that issue - with the result being "ya can't
>  do that".
> 
> http://www.openldap.org/lists/openldap-software/200706/msg00298.html
> 
> So, how do I add pwdChangedTime to accounts?

By updating userPassword, as covered in point (2) in my previous reply. See 
below.

> I'm being advised here to do so, but the only success I've had so far is
>  painful: delete the entry, and use slapadd.
> 
> Thanks,
> - chris
> 
> PS:
> Yes, I've read the man page for ldapmodify - I see mention of some 'general
>  extensions flag - but it doesn't make sense to me. I've also seen mention
>  of a '-k' flag, but it's not an option with the version of ldapsearch
>  compiled with openldap 2.4.

I provide a more complete script below.

> -----Original Message-----
> From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net]
> Sent: Tuesday, March 30, 2010 3:57 AM
> To: openldap-technical@openldap.org
> Cc: Chris Jacobs
> Subject: Re: Not getting password expiry warnings on login


> >  2) I'm probably going to need to scrub these accounts
> >  so that they're created correctly - likely through a slapcat - modify
> >  output - wipe db (or delete entry) - slapadd (replace slapcat/add with
> >  ldapmodify if that's your pref).
> 
> No, update userPassword. E.g., something which does more or less:
> 
> ldapsearch "(&(userPassword=*)(!(pwdChangedTime=*)))"
>  userPassword|ldapmodify

ldapsearch -LLL "(&(userPassword=*)(!(pwdChangedTime=*)))" userPassword|perl -
p0e 's/\n(userPassword:)/\nreplace: userPassword\n$1/g'|ldapmodify

Now, if you only have simple binds working, then you would need to do it this 
way:

read -p 'Enter Root DN: ' ROOTDN
read -s -p 'Enter Root DN Password: ' ROOTPW

ldapsearch -x -D "$ROOTDN"  -w "$ROOTPW" -LLL "(&(userPassword=*)(!
(pwdChangedTime=*)))" userPassword|perl -p0e 's/\n(userPassword:)/\nreplace: 
userPassword\n$1/g'|ldapmodify -x -D "$ROOTDN" -w "$ROOTPW"


However, if you don't yet know how to use ldapmodify and ldapsearch, you 
really should try and learn ...

Regards,
Buchan

References:
- Not getting password expiry warnings on login
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
- Re: Not getting password expiry warnings on login
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
- RE: Not getting password expiry warnings on login
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>

Prev by Date: AD, freeradius, openldap combination
Next by Date: Re: Configuring OpenLDAP on Ubuntu 9.10.Need help!
Index(es):
- Chronological
- Thread