2

I need to find a way of automatically notifying LDAP account users as to when their passwords will expire and also force them to change their passwords. I am fairly new to LDAP.I am running openldap 2.3.43.el5 on RHEL 5.3 I am trying to find a solution (possibly in a script form) but i am open to other tried and tested solutions.

What i am aiming to do is to parse,filter or format the LDAP query output from the command below (example)

slapcat -b "cn=Manager,dc=berkerly dc=ac dc=uk"

such that i get an output that shows the user cn (name) and the users pwChangedTime field from the LDAP database for example

cn: jbloggs :
pwdChangedTime: 2011078159Z

or better still all on the same line like

cn: jbloggs :pwdChangedTime: 2011078159Z

This way i can tell when the users passwords was last changed and then based on our password policy work out when the LDAP account users passwords will expire. In effect this will enable me work out whos passwords expires soon from a mini report. I am hoping to do this in a script but not sure how to achieve this from the slapcat command output.
Is there a way or command in LDAP, of listing a users cn (name) and pwdChanged time or other fields.I am an LDAP newbie and i am only familiar with slapcat command which lists all the LDAP users and their various attribute fields i the LDAP database. This slapcat output is not easy to grep and awk to find exactly what i am looking for.

Also i need confirmation as to whether the field pwdChangedTime: truly represents the date when the password for that user was last changed.

Finally is there a way of forcing users to change their LDAP passwords as you do on normal local Unix,Linux accounts.

Your help would be greatly appreciated.

Sgaduuw
  • 1,833
  • 12
  • 16
Dominiqs
  • 167
  • 3
  • 7
  • 12
  • 1
    Does this answer your question? [what is the simple Command to check password expiry time of an openldap user account](https://serverfault.com/questions/422864/what-is-the-simple-command-to-check-password-expiry-time-of-an-openldap-user-acc) – andreagalle Jul 02 '21 at 12:09

3 Answers3

1

OpenLDAP itself can be extended with overlays. Take a look at its Password Policies overlay.

What kind of applications are your LDAP users using?

Janne Pikkarainen
  • 31,852
  • 4
  • 58
  • 81
1

I think the output should be greppable like this (not tested): 

slapcat -b "cn=Manager,dc=berkerly dc=ac dc=uk" | egrep "(cn:|pwdChangedTime)"

this should output the cn and pwdChangedTime for all users. How I would do this:

1) get a userlist with slapcat

2) for every user in that list, get the cn and pwdChangedTime using above grep. Another option is to use perl, wich has an LDAP lib. With this lib it is easy to get data out of LDAP.

3) check take the date out of the pwdChangedTime var.

I don't know if u can force users to change their passed with LDAP. I think there is a way, just not sure about it.

hope my post is helpfull.

P.S.: sorry I can't post more code examples but I am at work atm.

Goez
  • 1,838
  • 1
  • 11
  • 15
  • Thanks a million i have already worked this out ,i really appreciate your help i used ldapsearch instead of slapcat but they all achive similar result.Thanks – Dominiqs Aug 11 '11 at 09:31
0

It is certainly possible, though hardly advisable and definitely not scalable, to dump the LDIF in order to determine which users' passwords will expire and when. The method you propose requires a full table scan of the directory followed by some text wrangling to get it all on one line and so forth.

As far as I know, OpenLDAP supports the Password Expired and Password Expiring controls. These controls are returned from the server in the bind response. Their purpose is to inform clients of the state of a users' password as it relates to the password policy. These controls are described in VCHU.

Using these controls makes clients responsible for users notification and are already supported by UNIX login clients, for example (although the Solaris client is broken, see this article). When your client receives a bind response and checks for the presence of the password expired control (if the authentication was unsuccessful) and the password expiring control, then client can then take appropriate action. Clients must always check for controls in LDAP responses.

Having the notification performed by the client is flexible, configurable, dynamic and scalable. Having the notifications done by the server is none of those things.

There are other things that could be done to enhance the authentication experience, for example, using an LDAP assertion control with a filter that checks the pwdChangedTime and make the bind conditional on the success of the filter.

Community
  • 1
Terry Gardner
  • 632
  • 5
  • 9
  • The two controls you refer to are the ancient ('90s) Netscape ones, although some directories support these, OpenLDAP does not. Instead it uses [*Password Policy for LDAP Directories*](https://tools.ietf.org/html/draft-behera-ldap-password-policy-10) (the revision distributed with current OpenLDAP-2.4 source is v11). There are two distinct controls "request" and "response", and all [ppolicy](http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5) messages happen that way. – mr.spuratic Jul 10 '17 at 12:33