Most LDAP servers use a different schema than the Microsoft version and
work from the opposite direction. Try querying "passwordexpirationtime".
You can do a search for the specific password schema with the following
info: 2.16.840.1.113730.3.2.12 passwordObject
I think it is more common to:
1. administratively set the password on a user account
2. set the password expiration to occur immediately.
3. set the passwordGraceUserTime for a time period that allows the user
to log in solely to change their password.
However, you must explicitly program your site to gracefully handle this
situation (condition where passwordexpirationtime < now <
passwordGraceUserTime) , since the user's LDAP authentication attempt
against the directory will fail (with an error indicating the password
has expired).
On 01/21/2011 09:45 AM, harry.dev...@faa.gov wrote:
I am in the process of creating a web-based mechanism to allow our
users to change their password on our new 389-ds server. I would like
to display the date that their password is due to expire, and while
Googling around, I see a lot of references to pwdLastSet, but about
95% of the articles are referring to Active Directory. I don't see
pwdLastSet amongst the attributes in my default 389-ds setup. Is it
there, or do I have to add that attribute to every account?
Also, I currently have my pages set up where, when the user logs in,
it detects our 'default' password and forces them to change it. Is
there some attribute in their account that I can set that I can key
off of and force them to change their password when they login to my
site?
Thanks for any tips!
Harry
Harry Devine
Common ARTS Software Development
AJT-144
(609)485-4218
harry.dev...@faa.gov
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
