Find all users who did not changed their password

Hi,
we want to find out, which user has changed a password after a specific date. So we do:

univention-ldapsearch '(&(sambaPwdLastSet>=114927)(sambaPwdLastSet=*))' sambaPwdLastSet

But it gave no result, while there is an entry:

dn: uid=jira-d3support,cn=users,dc=domain,dc=de
sambaPwdLastSet: 1554207810

Is there a simple way to find it out?

1 Like

Hey,

unfortunately there isn’t a trivial way without retrieving all entries where the attribute is set and doing filtering in whatever language you use (shell, Perl, whatever). The reason is that the LDAP schema doesn’t specify an ordering mechanism for the sambaPwdLastSet attribute; therefore relative comparisons aren’t possible.

Let’s take shadowExpire from /etc/ldap/schema/nis.schema as an example for where such searches are possible:

attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
        EQUALITY integerMatch
        ORDERING integerOrderingMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

This attribute supports equality comparison (shadowExpire=123456) as well as relative ones (shadowExpire>=123456).

Now here’s the definition for the sambaPwdLastSet attribute from /usr/share/univention-ldap/schema/samba.schema:

attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
        DESC 'Timestamp of the last password update'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

It only supports equality comparison.

If you only need the data once, you could simply adjust the schema and restart the LDAP server. Just keep in mind that your changes will be lost each time the corresponding package (univention-ldap-config) is updated. You could try working around that with Debian’s diversion system (man dpkg-divert), though — but again, this might break things if the version in the updated package contains changes your customized file then lacks.

The schema file itself seems to originate from the Samba project. You could also file a bug report with them (or Univention) in order to get that change into the official files.

Kind regards
mosu

1 Like