I work with LDAP, but not that specific brand of server.
First thing I'd try is a search on users pulling all of their attributes instead of restricting it the way your example does.
ldapsearch -xLLL -H ldap://server.domain.net \
-b "cn=users,dc=server,dc=domain,dc=net" uid=username1 \* +
Often there's a "memberOf" attribute on the user that lists the group name or group DN for groups that a user is in, kept in sync with the information in the group. If that's there, that is the easiest way to do what you want.
The *
will grab all user attributes (the default behavior) and the +
will grab all operational attributes (special attributes).
Whether an account is disabled isn't stored in the LDAP database, so you can't get at it with any LDAP query; it's in the password server database, so you need to query the password server. To do this, you first need to get the account's password slot ID, which will be in one of the authAuthority attributes in LDAP, something like this:
authAuthority: ;ApplePasswordServer;0x4ae508585b4ac9840000000500000005,1024 35
1484429831226030758363098280788558407709702186716704057921377682138163682495133
1971257473356121601282837516549920614867084718242948054970731529476886852497051
1771493871066923475105955010041662310891335912128945258881795910315183596873989
2049755102190782235854169470422244680045551515607049216054651273928793669
root@myserver.example.com:10.0.0.5
In this example, "0x4ae508585b4ac9840000000500000005" is the user's pasword slot ID. Once you have that, you can connect to the password server and check the user's password policies:
$ telnet 10.0.0.5 3659
Trying 10.0.0.5...
Connected to myserver.example.com.
Escape character is '^]'.
+OK ApplePasswordServer 10.6.0.0 password server at 10.1.0.1 ready.
getpolicy 0x4ae508585b4ac9840000000500000005
+OK isDisabled=1 isAdminUser=0 newPasswordRequired=0 usingHistory=0
canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0
requiresAlpha=0 requiresNumeric=0 expirationDateGMT=44451553867008
hardExpireDateGMT=44451553900288 maxMinutesUntilChangePassword=0
maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0
minChars=0 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0
requiresSymbol=0 notGuessablePattern=0 isSessionKeyAgent=0 isComputerAccount=0
adminClass=0 adminNoChangePasswords=0 adminNoSetPolicies=0 adminNoCreate=0
adminNoDelete=0 adminNoClearState=0 adminNoPromoteAdmins=0
quit
+OK password server signing off.
Connection closed by foreign host.
Note the "isDisabled=1" policy in that list, indicating that this user is currently disabled.
Best Answer
According the wikipedia doc Open Directory is an implementation of LDAP, also that the Open Directory stores the User data in a file which can be directly inspected, so there are a couple of options.
This post here indicates that the following command can be used to show the last updated time which is updated on login (unfortunately this value is also incremented by password changes, so is not necessarily accurate, but can give a lower bound)
I didn't find the open Directory user "account" object schema, but you might find it useful to download jxplorer or some LDAP client tool and directly inspect the account entries for something like a "LastLogin" field. There are a whole bunch of docs on the Open Directory product on the apple site here, which might help you in search for the correct LastLogin attribute to use in an ldapsearch query.
There is this excerpt from a google books search which might also be helpful if you have no luck with the above;enter link description here
So worstest of cases, is that you look in this file here for the last Login time;