Problem

The organization needs to identify and lock user accounts where the initial password was not changed within 14 days. The goal is to:

• Detect accounts with active initial passwords
• Verify if password changes occurred after initial setup
• Filter accounts with passwords unchanged for more than 14 days
• Optionally automate account locking

Cause

The UCS-LDAP backend does not natively distinguish between initial password setups and regular password changes. This requires using specific LDAP attributes to track password modification timestamps.

Solution

Use the following LDAP attributes and queries to identify affected accounts:

Identify accounts with unmodified initial passwords:

Query users with shadowMax=0 (indicating initial password status).
Example command:

ldapsearch -LLL -x -H "$URI" -b "$BASE" "(&  
(uid=b*)  
(univentionObjectType=users/user)  
(shadowMax=0)  
)" uid cn shadowLastChange sambaAcctFlags  

Track password change timestamps:

Use pwdChangedTime (standard LDAP attribute) or sambaPwdLastSet (UCS-specific attribute) to determine the last password modification date.
Compare the timestamp to the account creation date to identify unmodified initial passwords.

Automate account locking:

Implement a script that:
Retrieves users with shadowMax=0
Calculates the time difference between pwdChangedTime and the account creation date
Locks accounts where the password has not been changed for >14 days

Additional Notes

The sambaPwdLastSet attribute (in Windows epoch format) can be converted to a readable timestamp for analysis.
For AD-integrated environments, use whenCreated and pwdLastSet attributes.
A basic script example (anonymized):

# Example: Check users with unmodified passwords  
ldapsearch -LLL -x -H "$URI" -b "$BASE" "(&  
(uid=*)  
(univentionObjectType=users/user)  
(shadowMax=0)  
)" | grep -E 'uid|pwdChangedTime'