Use this information to view password policy attributes.
Operational attributes are returned on a search request only when
specifically requested by the client. To use these attributes in search operations,
you must have permission to critical attributes, or permission to the specific
attributes used.
- To view all password policy attributes for a given entry:
> ldapsearch -b "uid=user1,cn=users,o=ibm" -s base "(objectclass=*)"
pwdChangedTime pwdAccountLockedTime pwdExpirationWarned
pwdFailureTime pwdGraceUseTime pwdReset
- To query for entries for which the password is about to expire,
use the pwdChangedTime attribute.
For example, to find passwords
which expire August 26, 2004, with a password expiration policy of 186 days,
query for entries for which the password was changed at least 186 days ago
(February 22, 2004):
> ldapsearch -b "cn=users,o=ibm" -s sub
"(!(pwdChangedTime>20040222000000Z))" 1.1
where the filter
is equivalent to pwdChangedTime of midnight, February 22, 2004.
- To query for locked accounts, use the pwdAccountLockedTime attribute:
> ldapsearch -b "cn=users,o=ibm" -s sub "(pwdAccountLockedTime=*)" 1.1
where
"1.1" indicates that only the entry DNs are to be returned.
- To query for accounts for which the password must be changed because
the password was reset, use the pwdReset attribute:
> ldapsearch -b "cn=users,o=ibm" -s sub "(pwdReset=TRUE)" 1.1