5

I am using Apache Directory Studio to search any LDAP users that have not modified their password since a specific date. I am using search and the (modifyTimestamp=) LDAP filter but not having much luck. Open to any other attributes that would work better. Can anyone help guide me on how to set the filter correctly for this type of search? Bonus if you know how to filter for modifications made within a date range.

enter image description here

Starting to look at this: Apache Dir Studio Search Help Page

Thanks in advance.

Andre Leon Rangel
  • 1,659
  • 1
  • 16
  • 28
chainwork
  • 2,890
  • 4
  • 30
  • 29
  • 1
    modifyTimestamp will only tell you when the Entry was modified. Not about a specific attribute. Many LDAP server implementations provide a separate attribute that does indicate specifically when the password was modified. If this is Microsoft Active Directory that attribute is pwdLastSet. – jwilleke Oct 08 '20 at 08:13
  • Ok thank you for that jwilleke – chainwork Oct 09 '20 at 09:12

1 Answers1

2

There is an operational attribute called pwdChangedTime, it exists in almost every LDAP, in Oracle OUD, ODSEE, OpenDS, OpenDJ, and ApacheDS..., beware you can't see this attributes in a classic LDAP search since its an operational attribute, you should append *+* at the end of your ldapsearch, example:

  ldapsearch -h localhost --port 1389 -D "cn=Directory Manager" -w "password" -b "uid=myuser,ou=people,o=group" -s sub "(objectclass=*)" + 
  ...
  pwdChangedTime: 20201002090230.834Z
  ...

or directly:

  ldapsearch -h localhost --port 1389 -D "cn=Directory Manager" -w "password" -b "uid=myuser,ou=people,o=group" -s sub "(objectclass=*)" pwdChangedTime
  ...
  pwdChangedTime: 20201002090230.834Z
  ...

Finally you can use the filter to set a modify date: *modifytimestamp>=20201002* *

Saikat
  • 14,222
  • 20
  • 104
  • 125
Hamza Tahiri
  • 488
  • 3
  • 13