Apache Directory Studio: how to search for LDAP attribute not updated since a specific date?

Question

I am using Apache Directory Studio to search any LDAP users that have not modified their password since a specific date. I am using search and the (modifyTimestamp=) LDAP filter but not having much luck. Open to any other attributes that would work better. Can anyone help guide me on how to set the filter correctly for this type of search? Bonus if you know how to filter for modifications made within a date range.

Starting to look at this: Apache Dir Studio Search Help Page

Thanks in advance.

Answer 1

There is an operational attribute called pwdChangedTime, it exists in almost every LDAP, in Oracle OUD, ODSEE, OpenDS, OpenDJ, and ApacheDS..., beware you can't see this attributes in a classic LDAP search since its an operational attribute, you should append *+* at the end of your ldapsearch, example:

  ldapsearch -h localhost --port 1389 -D "cn=Directory Manager" -w "password" -b "uid=myuser,ou=people,o=group" -s sub "(objectclass=*)" + 
  ...
  pwdChangedTime: 20201002090230.834Z
  ...

or directly:

  ldapsearch -h localhost --port 1389 -D "cn=Directory Manager" -w "password" -b "uid=myuser,ou=people,o=group" -s sub "(objectclass=*)" pwdChangedTime
  ...
  pwdChangedTime: 20201002090230.834Z
  ...

Finally you can use the filter to set a modify date: *modifytimestamp>=20201002* *