Red Hat Directory Server password policies, how to get a user's password expiration date?
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
- Red Hat Directory Server 9
- Red Hat Directory Server 10
- Red Hat Directory Server 11
- Red Hat Directory Server 12
Issue
- The "chage" command does not get the data out of the Red Hat Directory Server / RHDS's LDAP database, how can an admin get the date of a user's password expiration?
Resolution
- Assuming the RHDS policies are configured and used, as described in the online documentation at
RHDS password policy parameters
It is possible to view the value of the following operational attribute (meaning you have to specify this attribute name in the search):
passwordExpirationTime
Specifies the length of time that passes before the user’s password expires.
Format example, value of the date format:
passwordExpirationTime: 20130819080812Z
References:
Managing the Password Policy
Root Cause
The /usr/bin/chage command uses the system password information, not the LDAP policies configured in Red Hat Directory Server / RHDS.
Diagnostic Steps
Use the command line with the command /usr/bin/ldapsearch from the openldap-clients package.
For example, using a test environment already setup for user entries and RHDS password policies:
ldapsearch -x -b "ou=people,dc=example,dc=com" uid=guest2 passwordExpirationTime passwordExpWarned passwordmaxage userpassword
...
dn: uid=guest2,ou=people,dc=example,dc=com
passwordExpirationTime: 20130819080812Z
passwordExpWarned: 0
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments