4:27 a.m.
Hi!
I'd like to query userPassword attributes that don't start with "{SSHA",
but it seems substring match doesn't work there.
An addition I'd like to find those users that didn't change their password since
the user was created, i.e. modifyTimestamp=createTimestamp, but I think that's not
possible in a search filter as the right of '=' is interpreted literally, right?
Any ideas?
Regards,
Ulrich
9:30 a.m.
--On Thursday, September 25, 2014 2:27 PM +0200 Ulrich Windl
<Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
Hi!
I'd like to query userPassword attributes that don't start with
"{SSHA",
but it seems substring match doesn't work there. An addition I'd like to
find those users that didn't change their password since the user was
created, i.e. modifyTimestamp=createTimestamp, but I think that's not
possible in a search filter as the right of '=' is interpreted literally,
right?
Any ideas?
(modifyTimeStamp<=createTimestamp) should do it? Since modifyTimestamp can
never be less than createTimestamp, that will only return entries where
they are equal.
--Quanah
--
Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
9:35 a.m.
Quanah Gibson-Mount wrote:
--On Thursday, September 25, 2014 2:27 PM +0200 Ulrich Windl
<Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
> I'd like to query userPassword attributes that don't start with
"{SSHA",
> but it seems substring match doesn't work there. An addition I'd like to
> find those users that didn't change their password since the user was
> created, i.e. modifyTimestamp=createTimestamp, but I think that's not
> possible in a search filter as the right of '=' is interpreted literally,
> right?
>
> Any ideas?
(modifyTimeStamp<=createTimestamp) should do it? Since modifyTimestamp can
never be less than createTimestamp, that will only return entries where they
are equal.
For various reasons running with slapo-ppolicy and querying pwdChangedTime
would be a better choice.
'userPassword' only has EQUALITY and ORDERING matching rules. One could maybe
query with >= and <=?
Ciao, Michael.
11:19 p.m.
New subject: Antw: Re: Help: Query unmodified non SSHA userPasswords
>> Quanah Gibson-Mount <quanah(a)zimbra.com> schrieb am
25.09.2014 um 18:30 in
Nachricht <9B8A217739A5294E4C5FADD4(a)[192.168.1.61]>:
--On Thursday, September 25, 2014 2:27 PM +0200 Ulrich Windl
<Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
> Hi!
>
> I'd like to query userPassword attributes that don't start with
"{SSHA",
> but it seems substring match doesn't work there. An addition I'd like to
> find those users that didn't change their password since the user was
> created, i.e. modifyTimestamp=createTimestamp, but I think that's not
> possible in a search filter as the right of '=' is interpreted literally,
> right?
>
> Any ideas?
(modifyTimeStamp<=createTimestamp) should do it? Since modifyTimestamp can
never be less than createTimestamp, that will only return entries where
they are equal.
Hi!
Isn't that equivalent to (modifyTimeStamp<="createTimestamp"), i.e.
isn't createTimestamp interpreted literaly?
Or does ldapsearch do some magic if it detects an LDAP attribute on the right side?
Anyway, I tried it, but I get too many results, e.g.
createTimestamp: 20140908062530Z
modifyTimestamp: 20140908115510Z
(Of course I know I could write some Perl to do the needed filtering, but it would be nice
if the LDAP server could help...)
Regards,
Ulrich
11:24 p.m.
New subject: Antw: Re: Help: Query unmodified non SSHA userPasswords
Ulrich Windl wrote:
>>> Quanah Gibson-Mount <quanah(a)zimbra.com> schrieb am
25.09.2014 um 18:30 in
Nachricht <9B8A217739A5294E4C5FADD4(a)[192.168.1.61]>:
> --On Thursday, September 25, 2014 2:27 PM +0200 Ulrich Windl
> <Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
>
>> Hi!
>>
>> I'd like to query userPassword attributes that don't start with
"{SSHA",
>> but it seems substring match doesn't work there. An addition I'd like to
>> find those users that didn't change their password since the user was
>> created, i.e. modifyTimestamp=createTimestamp, but I think that's not
>> possible in a search filter as the right of '=' is interpreted
literally,
>> right?
>>
>> Any ideas?
>
> (modifyTimeStamp<=createTimestamp) should do it?
No.
> Since modifyTimestamp can
> never be less than createTimestamp, that will only return entries where
> they are equal.
Hi!
Isn't that equivalent to (modifyTimeStamp<="createTimestamp"), i.e.
isn't createTimestamp interpreted literaly?
Yes.
Or does ldapsearch do some magic if it detects an LDAP attribute on
the right side?
No.
Anyway, I tried it, but I get too many results, e.g.
createTimestamp: 20140908062530Z
modifyTimestamp: 20140908115510Z
(Of course I know I could write some Perl to do the needed filtering, but it would be
nice if the LDAP server could help...)
Write an extended matching rule to do what you want.
Regards,
Ulrich
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
11:36 p.m.
New subject: Antw: Re: Help: Query unmodified non SSHA userPasswords
>> Howard Chu <hyc(a)symas.com> schrieb am 26.09.2014 um
08:24 in Nachricht
<54250685.8070206(a)symas.com>:
[...]
Write an extended matching rule to do what you want.
[...]
I know _very_ little on that subject: Where would I start?
Regards,
Ulrich
3360
days inactive
3361
days old
openldap-technical@openldap.org
5 comments
4 participants
participants (4)
-
Howard Chu -
Michael Ströder -
Quanah Gibson-Mount -
Ulrich Windl