Hi!
I'd like to query userPassword attributes that don't start with "{SSHA", but it seems substring match doesn't work there. An addition I'd like to find those users that didn't change their password since the user was created, i.e. modifyTimestamp=createTimestamp, but I think that's not possible in a search filter as the right of '=' is interpreted literally, right?
Any ideas?
Regards, Ulrich
--On Thursday, September 25, 2014 2:27 PM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
Hi!
I'd like to query userPassword attributes that don't start with "{SSHA", but it seems substring match doesn't work there. An addition I'd like to find those users that didn't change their password since the user was created, i.e. modifyTimestamp=createTimestamp, but I think that's not possible in a search filter as the right of '=' is interpreted literally, right?
Any ideas?
(modifyTimeStamp<=createTimestamp) should do it? Since modifyTimestamp can never be less than createTimestamp, that will only return entries where they are equal.
--Quanah
--
Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
--On Thursday, September 25, 2014 2:27 PM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
I'd like to query userPassword attributes that don't start with "{SSHA", but it seems substring match doesn't work there. An addition I'd like to find those users that didn't change their password since the user was created, i.e. modifyTimestamp=createTimestamp, but I think that's not possible in a search filter as the right of '=' is interpreted literally, right?
Any ideas?
(modifyTimeStamp<=createTimestamp) should do it? Since modifyTimestamp can never be less than createTimestamp, that will only return entries where they are equal.
For various reasons running with slapo-ppolicy and querying pwdChangedTime would be a better choice.
'userPassword' only has EQUALITY and ORDERING matching rules. One could maybe query with >= and <=?
Ciao, Michael.
Quanah Gibson-Mount quanah@zimbra.com schrieb am 25.09.2014 um 18:30 in
Nachricht <9B8A217739A5294E4C5FADD4@[192.168.1.61]>:
--On Thursday, September 25, 2014 2:27 PM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
Hi!
I'd like to query userPassword attributes that don't start with "{SSHA", but it seems substring match doesn't work there. An addition I'd like to find those users that didn't change their password since the user was created, i.e. modifyTimestamp=createTimestamp, but I think that's not possible in a search filter as the right of '=' is interpreted literally, right?
Any ideas?
(modifyTimeStamp<=createTimestamp) should do it? Since modifyTimestamp can never be less than createTimestamp, that will only return entries where they are equal.
Hi!
Isn't that equivalent to (modifyTimeStamp<="createTimestamp"), i.e. isn't createTimestamp interpreted literaly?
Or does ldapsearch do some magic if it detects an LDAP attribute on the right side? Anyway, I tried it, but I get too many results, e.g. createTimestamp: 20140908062530Z modifyTimestamp: 20140908115510Z
(Of course I know I could write some Perl to do the needed filtering, but it would be nice if the LDAP server could help...)
Regards, Ulrich
Ulrich Windl wrote:
Quanah Gibson-Mount quanah@zimbra.com schrieb am 25.09.2014 um 18:30 in
Nachricht <9B8A217739A5294E4C5FADD4@[192.168.1.61]>:
--On Thursday, September 25, 2014 2:27 PM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
Hi!
I'd like to query userPassword attributes that don't start with "{SSHA", but it seems substring match doesn't work there. An addition I'd like to find those users that didn't change their password since the user was created, i.e. modifyTimestamp=createTimestamp, but I think that's not possible in a search filter as the right of '=' is interpreted literally, right?
Any ideas?
(modifyTimeStamp<=createTimestamp) should do it?
No.
Since modifyTimestamp can never be less than createTimestamp, that will only return entries where they are equal.
Hi!
Isn't that equivalent to (modifyTimeStamp<="createTimestamp"), i.e. isn't createTimestamp interpreted literaly?
Yes.
Or does ldapsearch do some magic if it detects an LDAP attribute on the right side?
No.
Anyway, I tried it, but I get too many results, e.g. createTimestamp: 20140908062530Z modifyTimestamp: 20140908115510Z
(Of course I know I could write some Perl to do the needed filtering, but it would be nice if the LDAP server could help...)
Write an extended matching rule to do what you want.
Regards, Ulrich
Howard Chu hyc@symas.com schrieb am 26.09.2014 um 08:24 in Nachricht
[...]
Write an extended matching rule to do what you want.
[...]
I know _very_ little on that subject: Where would I start?
Regards, Ulrich
openldap-technical@openldap.org
-
Howard Chu -
Michael Ströder -
Quanah Gibson-Mount -
Ulrich Windl