Dave Aiello wrote, "Recently, I've been writing about my effort to improve the administration of one of my company's servers. This server has an old version of the Netscape/iPlanet/SunOne Directory Server on it."
"Although the Directory Server supports a lot of best practices from a user administration standpoint (such as periodic password expiration), it's rather difficult to manage. Sometimes, active users' passwords silently expired because the directory server would not email them about impending expirations. Theoretically, the server is supposed to notify users of expirations in all cases, but for some reason, this feature didn't work for most of them."
"I decided that I wanted to correct this problem by writing my own Perl-based password expiration warning function. This turned out to be easier said than done in my configuration. Read on for more details...."
Dave Aiello continued:
I let the silent password expiration problem persist for longer than I care to admit. A while back, it was because I just didn't have time to work through the nuances of the Net::LDAP Perl module. But lately, I've had more time and was simply frustrated by some nagging problems with getting even example code to work in my configuration.
The breakthrough came when I realized that the version of Net::LDAP that I am using doesn't work the way I originally thought. I was looking for the contents of an LDAP attribute referred to as passwordExpirationTime, and I was thinking that I could find it by specifying it as follows:
$searchstruct{$_}{passwordExpirationTime}[0]
When I ran the code in a debugger, I found that the version of Net::LDAP I am using was casting the name of the LDAP attribute into lower case letters before putting it into the Perl data structure. You Perl programmers out there will know that:
$hash{passwordExpirationTime} != $hash{passwordexpirationtime};
I was looking for the key in the same mixed case characters that I was using in my LDAP queries. So every time I tried to run the slightly-modified sample code I had written on my server, it didn't work, although ldapsearch worked correctly.
Once I got over this bump in the road, the rest of the program that I was trying to write quickly fell into place. I started working on this problem on Friday morning. I had it fully implemented by Tuesday morning.
After getting this program written and tested, I found out that LDAP attribute names are case insensitive, by definition. The problem I have with this is that most documentation specifies attributes like passwordExpirationTime in mixed case. The command line utility called ldapsearch respects the case of the attributes that you give it. But, the version of Net::LDAP that I have on my server does not.
For CTDATA customers that wondered why I let this problem persist for as long as it did, now you know. As far as I'm concerned, the new LDAP tools that I wrote are a great step forward for us. It will make my life a lot easier. But, a lot of people who are not as close to the problem as I am will probably respond, "So what?"