Hi Guys, We are currently looking into implementing password expirations (pwdMaxAge) along with password expiration warnings (pwdExpireWarning) so that email notifications may be sent to those offending entries via a cronjob run as the admin (or some other ACL user). The problem is, if I understand it correctly, these warning messages are only relayed (via password policy controls ?) when the USER itself binds to the tree. Is there some other way for a privileged user to obtain these messages or at least some other set attribute before pwdMaxAge has been reached? If you are thinking of increasing the pwdAuthGraceNLimit that wont work because the user could login and try binding several other times through the course of the day before receiving a "password is about to expire in nlogin attempts" which is preformed each time they login to their machine.
Below is an example of what works to get the info I need, binding as a user (again not what I want):
##################################################################################################### #!/usr/bin/perl
use strict; use Net::LDAP; use Net::LDAP::Constant qw(LDAP_EXTENSION_START_TLS); use Net::LDAP::Control::PasswordPolicy; use Net::LDAP::Constant qw(LDAP_CONTROL_PASSWORDPOLICY); use POSIX;
my $ldap_host = "ldap://hostname.mydomain.com"; my $ldap_port = "389"; my $ldap = Net::LDAP->new($ldap_host, port => $ldap_port); my $seconds_in_a_day = 86400; my $seconds_in_an_hour = 3600;
my $pp = Net::LDAP::Control::PasswordPolicy->new;
my $mesg = $ldap->bind("uid=someuser,ou=People,dc=mydomain,dc=com", password => "secret", control => [ $pp ] );
# Get password policy reponse my($resp) = $mesg->control(LDAP_CONTROL_PASSWORDPOLICY);
if (defined($resp)) { my $v = $resp->pp_error; print "Password policy error $v\n" if defined $v; $v = $resp->time_before_expiration; my $days = ceil($v/$seconds_in_a_day); my $hours = ($v/$seconds_in_an_hour); print "Your password expires in less than $days day(s) ($hours hour(s))\n" if defined $v; } ####################################################################################################