IO17841: INFOCENTER SAYS TO USE PWDCHANGEDTIME TO CHECK FOR ACCOUNTS THAT MIGHT EXPIRE SOON, BUT THAT WON'T ALWAYS WORK
Closed as documentation error.
Starting in ITDS 6.0, the design of password policy was changed so that pwdChangedTime is not always added to the pwdchangedtime attribute table for every dn (it's calculated dynamically). But our docs here: http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic= %2Fcom.ibm.IBMDS.doc%2Fadmin_gd532.htm&path%3D8_4_7_7_2 say that you can figure out which accounts are about to expire by using the pwdChangedTime attribute in a filter. However, that won't work for any accounts for which the password hasn't been explicitly changed.
Because of a redesign in TDS 6.0, the pwdChangedTime attribute was changed from a regular attribute to an operational attribute (which isn't supposed to be searchable in a filter). Searching with this attribute in a filter might not return all the entries an administrator expects. It will return only those entries whose password was changed at least once in past.
See technote #1640156: Limitations of pwdChangedTime. http://www.ibm.com/support/docview.wss?uid=swg21640156
Reported component name
IBM TIV DIR SER
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following: