Tracking users' NMAS password expiration dates using ldapsearch

  • 7018284
  • 16-Nov-2016
  • 16-Nov-2016


NetIQ eDirectory 8.8 SP8
NetIQ eDirectory 9.0


There are many eDirectory installations where the Novell Client is not used.  This makes it difficult to warn users that their passwords are about to expire.  Compounding the problem, NMAS determines the Password Expiration Time dynamically during login so there is no need for an attribute of this type to reside on the user object.  The password expiration time is derived by adding the value of the password expiration interval with the timestamp of either the UP (nspmPassword) or the NDS password (Private Key) which ever is later.  The result is then compared to current time.

Once a user is associated with a NMAS password policy, there are a number of attributes that are populated on the user object from values on the policy.  These include: password required, user allowed to change password, password minimum length, unique passwords required, password expiration interval and, in some cases, the password expiration time.  The first five of these values get changed on the user object if the value on the policy is changed.  By default, there is no Password Expiration Time on a user object when using Universal Password.


NMAS can be configured to write this value on the user object and keep it updated.  There are two requirements:

1. The "Verify whether existing passwords comply with the password policy (verification occurs on login)" password policy rule is set to true.
2. The computed password expiration time is sooner than the value in the user's password expiration time attribute.
NOTE: if the policy has been changed and the password no longer complies with the policy this value will be set to the current date, thereby expiring the password.

1.1 Set the password policy verification rule to true as in the above example.

1.2 Login as that user.  This will create a Password Expiration Time attribute on the user object and is then populated with NMAS' calculated expiration time.

1.3 Run a ldapsearch against the user(s)' using the Password Expiration Time attribute filter.
ldapsearch -x -h x.x.x.x -b o=novell -s sub -D cn=admin,o=novell -w novell "passwordExpirationTime<=20161220000000Z" passwordExpirationTime
This command would show all users whose password will expire before midnight December 19th, 2016.   (The last six digits of all 0's indicates midnight the day before.)