Viewing password policy attributes

 

Use this information to view password policy attributes. Operational attributes are returned on a search request only when specifically requested by the client. To use these attributes in search operations, have permission to critical attributes, or permission to the specific attributes used.

1. To view all password policy attributes for a given entry:

   > ldapsearch -b "uid=user1,cn=users,o=ibm" -s base "(objectclass=*)"
    pwdChangedTime pwdAccountLockedTime pwdExpirationWarned  pwdFailureTime pwdGraceUseTime pwdReset

2. To query for entries for which the password is about to expire, use the pwdChangedTime attribute. For example, to find passwords which expire August 26, 2004, with a password expiration policy of 186 days, query for entries for which the password was changed at least 186 days ago (February 22, 2004):

   > ldapsearch -b "cn=users,o=ibm" -s sub  "(!(pwdChangedTime>20040222000000Z))" 1.1

   where the filter is equivalent to pwdChangedTime of midnight, February 22, 2004.

3. To query for locked accounts, use the pwdAccountLockedTime attribute:

   > ldapsearch -b "cn=users,o=ibm" -s sub "(pwdAccountLockedTime=*)" 1.1

   where "1.1" indicates that only the entry DNs are to be returned.

4. To query for accounts for which the password must be changed because the password was reset, use the pwdReset attribute:

   > ldapsearch -b "cn=users,o=ibm" -s sub "(pwdReset=TRUE)" 1.1

 

Parent topic:

Password tasks