Getting password expiration from LDAP

Hello.
I've been going through the JNDI docs from sun and some javaworld tutorials to read/write/update/delete from the LDAP I'm using (OID). Now I'm trying to retrieve the password policy attributes from the LDAP server, specifically the password expiry time. Does anyone have a solution for this? I've searched this forum and found some good links.

Thanks.
AD

Ok. Let me rephrase all of this. I'm trying to determine the amount of time until a user's password
expires. This information is stored in an Oracle Internet Directory
LDAP.

I need to get the password expiration time, which is the
pwdMaxAge attribute in
"cn=PwdPolicyEntry,cn=Common,cn=Products,cn=OracleContext"
I can do this fine.

Next I need to get the timestamp of a particular user's password.
According to this:

http://www.lc.leidenuniv.nl/awcourse/oracle/network.920/a96574/pwdpol...
"In addition, the object class top contains these operational
attributes, to maintain the user-password state information for each
user entry."

pwdChangedTime contains a password timestamp.

pwdChangedTime is one of those attributes in the object class
'top.' How do I read this value for a single user such as
"uid=mojoe,ou=People,o=myserver.com" ?

I know enough about jndi to read attributes from mojoe, like the
uid,etc. But I can't read those inherited from 'top.' Also, this
is probably more of an Oracle/OID question, but do I have to configure
the ldap to store the value for pwdChangedTime, or is the timestamp
automatic?

Is there an easier way to get a notice that the password has expired,
like through "pwdExpirationWarned"? (I have no idea how to get jndi
to work with pwdExpirationWarned.)

This is a tough question, and all help would be appreciated!
Thank you.
[ July 07, 2005: Message edited by: Andrew Davis ]

I also face the same problem to retrieve some security policy attributes (e.g. pwdAccountLockedTime) from OID using SUN LDAP api, but not success.

Here my sample code:

package test.jndi;

import java.util.Hashtable;
import javax.naming.*;
import javax.naming.directory.*;

public class JNDIApplication {

public void printSearchEnumeration(NamingEnumeration enum) {
try {
while (enum.hasMore()) {
SearchResult sr = (SearchResult)enum.next();
System.out.println(">>>" + sr.getName());
printAttrs(sr.getAttributes());
}

} catch (NamingException e) {
e.printStackTrace();
}
}

public void printAttrs(Attributes attrs) {

if (attrs == null) {
System.out.println("No attributes when trying to print");
} else {
/* Print each attribute */
try {
for (NamingEnumeration ae = attrs.getAll(); ae.hasMore()

{
Attribute attr = (Attribute)ae.next();
System.out.println("attribute: " + attr.getID());

/* print each value */
for (NamingEnumeration e = attr.getAll(); e.hasMore();
System.out.println("value: " + e.next()));
}
} catch (NamingException e) {
e.printStackTrace();
}
}
}

public JNDIApplication() {

String INITCTX="com.sun.jndi.ldap.LdapCtxFactory";
String MY_HOST="ldap://localhost:3060";
String MGR_DN="uid=admin";
String MGR_PW="password";

String INITIAL_ENTRY="uid =0005975";

try {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
env.put(Context.PROVIDER_URL, MY_HOST);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, MGR_DN);
env.put(Context.SECURITY_CREDENTIALS, MGR_PW);
DirContext ctx = new InitialDirContext(env);

try {
Attributes answer = ctx.getAttributes(INITIAL_ENTRY);
printAttrs(answer);

} catch (NamingException e) {
e.printStackTrace();
ctx.close();
}
} catch (NamingException f) {
f.printStackTrace();
}
}

// You need Main() for a JAVA App...
public static void main(String[] args) {
new JNDIApplication();
}
}

Here the output which display all attribute user have, as U can see, it did display those security policy attribute:

attribute: authpassword;oid
value: {SASL/MD5}xgMXC0xvIFLGXZxvHBJKGQ==
value: {SASL/MD5-DN}LI7N8DRsjXysFffOZ40C+Q==
value: {SASL/MD5-U}MQAKyIJPacqzhGSEvmiU1g==
attribute: authpassword;orclcommonpwd
value: {X- ORCLLMV}E52CAC67419A9A224A3B108F3FA6CB6D
value: {X- ORCLNTV}8846F7EAEE8FB117AD06BDD830B7586C
value: {MD5}X03MO1qnZdYdgyfeuILPmQ==
value: {X- ORCLIFSMD5}Hzf+lttETBelztsVTrQ+Ig==
value: {X- ORCLWEBDAV}1bieTs46YoRBwiPxKRDrwQ==
attribute: uid
value: 0005975
attribute: userpassword
value: [B@291aff
attribute: objectclass
value: inetOrgPerson
value: organizationalPerson
value: person
value: top
value: GELagent
attribute: sn
value: 0005975
attribute: cn
value: 0005975

Anyone can help?

Ok, I had solve it. Those attributes are operational - I must ask for them explicitly, in the list of attributes to return from the search request. By default, you only get non-operational attributes, which is why I only get uid, cn, etc.

For example:
String DN = "uid =user1,ou=Accts,c=sg,o=abc.com";

String[] userAttrList = {
"cn", "sn",
"orclpwdaccountunlock", "pwdaccountlockedtime", "pwdfailuretime"
};

SearchControls searchControls = new SearchControls();
searchControls.setReturningAttributes(userAttrList);

NamingEnumeration ne = dircontext.search(searchName, "(objectclass=*)", searchControls);

if(ne!=null){
while(ne.hasMore()){
SearchResult searchresult = (SearchResult) ne.next();
Attributes attrs = searchresult.getAttributes();
printAttrs(attrs);
}
}else{
System.out.println("Search Result is null");
}

...

public void printAttrs(Attributes attrs) {

if (attrs == null) {
System.out.println("No attributes when trying to print");
} else {
/* Print each attribute */
try {
for (NamingEnumeration ae = attrs.getAll(); ae.hasMore()

{
Attribute attr = (Attribute)ae.next();
System.out.println("attribute: " + attr.getID());

/* print each value */
for (NamingEnumeration e = attr.getAll(); e.hasMore();
System.out.println("value: " + e.next()));
}
} catch (NamingException e) {
e.printStackTrace();
}
}
}

so how do you get those operational attributes explicitly?

thanks,
ad