LDAP password expiry

[blank888]

I have an OpenSUSE LDAP server where the passwords expire every few months. Is there a way to see how long specific users have until their passwords expire? I was able to find something like that in the ldap browser, but it only gives me information for samba which I am sure is not for the regular ldap password.
Also, I tried using `chage -D "cn=Administrator,dc=network_name" -l blank888`, but all it said was that password aging information was not available for blank888. That can't be right because I don't have a local account on the machine, I was logged in as blank888, and I've been forced to change my password on the same LDAP network previously because it expired. And `passwd -D "cn=Administrator,dc=network_name" -S blank888` yields an equally helpful result. All it says is "blank888 LK".

[stevebruce]

you could try the following

ldapsearch -L -T -D cn="Directory Manager" -w ${PASSWORD} -b "${BASEDN}" uid=${UID} passwordexpirationtime

Put this in a for loop through all your ldap user

Format is YYYYMMDDHHMM....

[blank888]

Sorry for taking so long to reply, I've been busy!
Unfortunately that doesn't seem to work. But if I leave off the "passwordexpirationtime" part, it does give me Samba information for passwords. (Someone suggested that I actually have LDAP going through SAMBA). The only problem is that it says I don't have to change my samba password until 2038, but when I login to the system it says I have to change my password in 13 days.
Its also possible that I screwed something up when creating the LDAP server because I built it after using linux for just a few months.
Anyways, normally you can open /etc/shadow and find when a certain user made their password, how many days its good for, etc. Is there a similar file on the LDAP server?

[blank888]

Well, I finally figured out what all was going on. I have a default password policy that makes it so users have to change their passwords every few months, locks you out after so many failed logins, etc. So every user is pointing to the default policy. The plugin that lets the users use the default policy is incompatible with the shadow plugin, and the shadow plugin is the one that stores password information in the same form of a shadow file. So without the shadow plugin the ldapsearch won't give you the information you need, and I imagine (I haven't tested this yet) that the shadow plugin is also what you need for passwd -D and chage -D to work.
Also, I'm running OpenSUSE and used yast to setup my server, so that might make a difference for anyone who isn't using yast.