Ask AFP548 December 7, 2005 at 7:22 am

Ask AFP548: Get list of when passwords will expire?

I want to send an email to users letting them know that their password is about to expire (we have them set to expire after 30 days, so this happens frequently). Tinkering with our Tiger server, it seems that mkpassdb doesn’t provide any useful data. Neither does pwpolicy. Using:

pwpolicy -a adminusr -p adminpwd -u sbrown -getpolicy

always returns (no matter what user or expiration)


as its result. Is there any easy way to get this information that works with Tiger? Am I not using pwpolicy correctly?

BTW, I saw a post here where someone mentions that with AD, UAM, and ActiveX it may be possible to get this info, but we aren’t using AD.

Read on for one possible answer…
(Ed. note. OK, so I messed this one up the first time around. Now that I got my head around it, here is the correct answer!)

Well, there are a few different things going on here…

As you suspected you are looking at the wrong policy with pwpolicy. The expirationDateGMT policy doesn’t seem to reflect much. If you were to set an explicit expiration date it would be visible in the hardExpireDateGMT, but that isn’t really what you seem to be after either.

Take a look at the maxMinutesUntilChangePassoword policy. This determines how long, in minutes, the password can last.

The next part of the puzzle is the creation date of the password. You can get this info from the user’s KDC principal:

<code>dhcp172-21s10n104:~ tigertestadmin&#36; sudo kadmin.local -q "getprinc p10014" | grep Last pass
Last password change: Tue Nov 29 08:19:12 EST 2005</code>

If you leave the grep off of the end you will see the entire user pricipal. Also note that I’m using kadmin.local here since I’m operating directly on the server. Remote queries will need to use regular kadmin and provide some kerb authentication. (An interesting side note when looking at the full principal is the “Expiration date:” property, that is the only property that is populated with info from the PasswordService.)

To figure out how long the password has left to live you need to convert the stamp and current date to minutes and then compare them to see how close you are to the maxMinutesUntilChangePassoword policy setting.

Hopefully this sets you off in the proper direction. There are tons of date conversion scripts in Google, but does anyone have a favorite they would like to share in the comments below?

No Comments

  • OK, I mentioned that we weren’t using AD, but I didn’t mention that we also
    aren’t using Kerberos — and since our standard email client is Entourage,
    which does not support Kerberos, it wouldn’t of helped us, true?

    What I did do is create a script that tracks password changes found in the
    Password Server log located at /Library/Logs/PasswordService/
    ApplePasswordServer.Server.log, saving the user ID and date in my own
    database. I then poll the database every day, sending out password reminders
    as needed, including a link to the osxpass cgi that allows users to change
    their password via a web page.

    I’ll post the code to my solution after I’ve had a chance to clean it up a little.

    • Glad you got a working solution.

      The thing is, if you are using an OD master then you are using Kerberos. Just
      because Entourage doesn’t support it doesn’t mean you can’t use it here. 🙂

      Breaking my server to save yours.

      Josh Wisenbaker

  • The solution that I came up with was to track password changes in the PasswordServer log. I can then use my own database to look for passwords due to expire, assuming that everyone is using the same policy.

    I’ll post the result soon at:

  • The solution that I came up with was to track password changes in the PasswordServer log. I can then use my own database to look for passwords due to expire, assuming that everyone is using the same policy.

    I’ll post the result soon at:

    • I have the exact same problem as you sibr. The KDC is not running on my Open Directory server so the kadmin command does not work for me. I look forward to seeing your solution for this.

  • I need to add about 200 computers to our Open Directory server. I have done this manually via WorkGroup Manager. Doing this for 200 devices is not appealing. I have been looking for a DSCL script to do this but I am not 100% sure I can get all the attributes that WorkGroup manager adds (nor do I know which attributes are required). If I take a look at what WGM gives, I get (data deleted):


    I am assuming that I will have to use commands similar to (but is this all)

    dscl -u user -p -create /LDAPv3/ODserver/Computers/newcomputer
    dscl -u user -p -create /LDAPv3/ODserver/Computers/newcomputer RealName comptername
    dscl -u user -p -create /LDAPv3/ODserver/Computers/newcomputer Generated UID $(/usr/bin/uuidgen)
    dscl -u user -p -create /LDAPv3/ODserver/Computers/newcomputer EnetAddress xx:xx:xx;xx:xx:xx

    Will the following command delete all the records associated with a newly created compter

    dscl -u user -p -delete /LDAPv3/ODserver/Computers/newcomputer

    My intention was to have a tab delimited file containing computername and Ethernet address. I guess the script should 1st check if a given entry (I assume Ethernet address) already exists. Any assistance would be appreciated.

  • Greetings Harry,

    Just wondering if you found a solution to adding the computers via command line. I am in the same boat and looking for a solution.

    Thank you for any info you have!


Leave a reply

You must be logged in to post a comment.