Is it possible to query AD via LDAP, when a user has to change the password the next time? Is there any other method to query this attribute from a non Windows system (Linux)?
Background: We are working on Linux and have a coupling with AD via LDAP. So Users are able to authenticate to non Windows Systems with their Windows credentials. Yesterday two of the technical accounts to couple AD and Linux had to change their password and so it was not possible to authenticate for anyone. These technical accounts should not expire and should not need a password change, but due to an mistake in the user management (which is not in our hands) the 90 days password change interval was activated for the users. To prevent this in future I'd like to check automatic daily, if these technical accounts need password change. Expiration is an attribute for the user and easy to query via LDAP, but how do I see over LDAP, if a account needs password change.
We have no Windows system in our hands. So the solution should only use non Windows (Linux) methods/solutions.
I think what you are looking for is maxpwdage
You can get the info using standard ldap tools from any networked host able to reach your ldap hosts.
I have used something like this in the past to give road warriors a friendly warning with plenty of time that their password was going to expire.