I need to find a way of automatically notifying LDAP account users as to when their passwords will expire and also force them to change their passwords.
I am fairly new to LDAP.I am running openldap 2.3.43.el5 on RHEL 5.3
I am trying to find a solution (possibly in a script form) but i am open to other tried and tested solutions.
What i am aiming to do is to parse,filter or format the LDAP query output from the command below (example)
slapcat -b "cn=Manager,dc=berkerly dc=ac dc=uk"
such that i get an output that shows the user cn (name) and the users pwChangedTime field from the LDAP database for example
cn: jbloggs :
pwdChangedTime: 2011078159Z
or better still all on the same line like
cn: jbloggs :pwdChangedTime: 2011078159Z
This way i can tell when the users passwords was last changed and then based on our password policy work out when the LDAP account users passwords will expire.
In effect this will enable me work out whos passwords expires soon from a mini report.
I am hoping to do this in a script but not sure how to achieve this from the slapcat command output.
Is there a way or command in LDAP, of listing a users cn (name) and pwdChanged time or other fields.I am an LDAP newbie and i am only familiar with slapcat command which lists all the LDAP users and their various attribute fields i the LDAP database. This slapcat output is not easy to grep and awk to find exactly what i am looking for.
Also i need confirmation as to whether the field pwdChangedTime: truly represents the date when the password for that user was last changed.
Finally is there a way of forcing users to change their LDAP passwords as you do on normal local Unix,Linux accounts.
Your help would be greatly appreciated.
Best Answer
OpenLDAP itself can be extended with overlays. Take a look at its Password Policies overlay.
What kind of applications are your LDAP users using?