User profile for user: James Cutrone UT
James Cutrone UT Author
User level: Level 1
80 points

Finding the password expiration date

I am trying to figure out how to find the date a person's Open Directory account password will expire. When an account password expires in Open Directory on Tiger server, there is no indication that it has expired in Workgroup Manager. So I would like to inform my users in advance of when their password will expire or at the very least be able to tell them whether or not their password has expired. So far all my searches have resulted in finding people asking the same question with no answers. There is an archived thread in these forums at the URL "http://discussions.apple.com/thread.jspa?messageID=661551&#661551" which covers this topic but again there is no solution.

Does anyone know how to get the expiration date for an account's password? I looked through the LDAP entries and didn't see any value for either the date the password was last changed or the date the password will expire.

Xserve G5 Mac OS X (10.4.5)

Posted on Mar 9, 2006 8:37 AM

Reply
3 replies
User profile for user: James Cutrone UT
James Cutrone UT Author
User level: Level 1
80 points

Apr 17, 2006 10:05 AM in response to Mr. STiVo

I looked at that and pwpolicy does not give a valid expiration date on the account. When you run pwpolicy the expiration date returned is a default bogus date of 12/31/69.

I've looked all over the place and posted to many mailing lists and the only way I have found to determine when a password will expire is to manually parse the password server log file. When a person logs into their open directory account a log entry is made in the password server log and in that log entry you can get the data you need to determine the date the user's password will expire.

Xserver G5 Mac OS X (10.4.6)
Reply
User profile for user: Steven Simon
Steven Simon
User level: Level 1
135 points

Apr 18, 2006 7:29 AM in response to James Cutrone UT

The password server does not publish the information you need. However, it is often possible to figure out the expiration date by checking the kerberos database. If you run:
kadmin.local -q "getprinc <principal-name>"
(notice the command after the -q is quoted)

it returns:
Authenticating as principal root/admin@EXAMPLE.COM with password.
Principal: principal@EXAMPLE.COM
Expiration date: [never]
Last password change: Sun Feb 26 16:16:07 PST 2006
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Sun Feb 26 16:16:07 PST 2006 (root/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes:
Policy: [none]

Now, if you know the policy is set to expire passwords every 30 days, you can use the "Last password change" field to calculate when the password will expire.

Mac OS X (10.4.6)
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Finding the password expiration date

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up