LDAP Password Expiration

I have an OpenSUSE LDAP server where the passwords expire every few months. Is there a way to see how long specific users have until their passwords expire? I was able to find something like that in the ldap browser, but it only gives me information for samba which I am sure is not for the regular ldap password.

One more thing. I tried using chage -D "cn=Administrator,dc=network_name" -l blank888, but all it said was that password aging information was not available for blank888. That can’t be right because I don’t have a local account on the machine, I was logged in as blank888, and I’ve been forced to change my password on the same LDAP network previously because it expired.

Oh, and passwd -D "cn=Administrator,dc=network_name" -S blank888 yields an equally helpful result. All it says is “blank888 LK”.

Well…there is always ldapsearch :slight_smile:



ldapsearch -D "cn=Administrator,dc=network_name" -ZZ shadowLastChange


My guess is you have the users are authenticating through SAMBA which has the ldap password backend.

Sorry for taking so long to reply, I’ve been busy!
Unfortunately that doesn’t seem to work. But if I leave off the “shadowLastChange” part, it does give me Samba information for passwords, so you might be right about it authenticating through samba. The only problem is that it says I don’t have to change my samba password until 2038, but when I login to the system it says I have to change my password in 13 days.
Its also possible that I screwed something up when creating the LDAP server because I built it after using linux for just a few months and barely even knew my way around YaST!
Anyways, normally you can open /etc/shadow and find when a certain user made their password, how many days its good for, etc. Is there a similar file on the LDAP server?

Hey look, the year 2038 problem…I didn’t think I’d ever see that in my life.

As much as I love openSuSE, I’m not always a big fan of YaST. It can get in the way and prevent portability…If you look around you can find a couple of rants.

You mention /etc/shadow, a flat file. You should remember that openLDAP is a database, so you are not looking for a file to edit, but fields to change. That’s just a little technical blip though.

You can get an output like /etc/shadow though, this can be done with the getent command.

 getent shadow 

Let me know if that solves your problem.

Well, I finally figured out what all was going on. I have a default password policy that makes it so users have to change their passwords every few months, locks you out after so many failed logins, etc. So every user is pointing to the default policy. The plugin that lets the users use the default policy is incompatible with the shadow plugin, and the shadow plugin is the one that stores password information in the same form of a shadow file. So without the shadow plugin the ldapsearch won’t give you the information you need, and I imagine (I haven’t tested this yet) that the shadow plugin is also what you need for passwd -D and chage -D to work.