IBM Support

Limitations of pwdChangedTime

Question & Answer


Question

Can I use pwdChangedTime in a search filter to find user passwords that will expire?

Cause

Change in the design of pwdChangedTime starting in Directory Server 6.0

Answer

The short answer is, yes, you can use it to check for passwords that are about to expire as long as you are aware of the limitations.

The nature of the pwdChangedTime attribute has changed from earlier versions where it was a regular attribute to versions 6.0 and later where it's an operational attribute. This has implications for its use in search filters. This technote documents the current limitations of the pwdChangedTime attribute in search filters.

Originally, the pwdChangedTime attribute was a regular attribute, and was always set when password policy was turned on. When password policy was enabled in these versions, an explicit pwdChangedTime value had to be set for all users with values for userPassword in the LDAP tree during the first server startup after the policy was enabled. In environments with millions of users, this would delay startup more than was acceptable.

As a result, password policy was redesigned, so that, among other things, the pwdChangedTime didn't have to be set explicitly to expire a password. Instead, if an explicit value wasn't set, a dynamic calculation could be performed using the password policy start time and the user entry's create timestamp to determine when the password would be expired. This redesign was part of the features of the ITDS 6.1 release. The pwdChangedTime attribute was changed from a regular attribute (that can be searched with a a filter) to an operational attribute (that shouldn't be searchable in a filter). When this happened, however, the ability to search against pwdChangedTime was not removed. Also, our documentation which provided examples of using pwdChangedTime in a search filter to determine which accounts are close to expiring, was not updated to reflect this change (although future versions of our documentation after 6.3 will be updated).

Therefore, pwdChangedTime currently remains searchable within a search filter though it really shouldn't be. But because an explicit value for pwdChangedTime may not exist, using pwdChangedTime in a search filter may not return all the users that have passwords that are about to expire. To determine if a user's password is about to expire, you can use the following search in a filter, asking for the pwdChangedTime attribute be returned:

idsldapsearch -D <admin_dn> -w <password> -b <base> -s sub '(&(!(pwdChangedTime=*))(userPassword=*))' pwdChangedTime

Note: on a server with many entries, this could be a long-running, intensive search, so plan accordingly on when to run this search.

Or, you can just check all users, although this is a potentially a much slower search:

idsldapsearch -D <admin_dn> -w <password> -b <base> -s sub '(userPassword=*)' pwdChangedTime

(When pwdChangedTime is requested as the search output, a value is dynamically provided as needed, so this search works.)

[{"Product":{"code":"SSVJJU","label":"IBM Security Directory Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.0;6.1;6.2;6.3;6.3.1;6.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21640156

Page Feedback