Expose get-password-expiration API in user portal for OpenLDAP and Samba

[gsanchietti]

Summary

Add get-password-expiration endpoint to the api-moduled user portal for both OpenLDAP and Samba account providers.

Logged-in users can query their own password expiration info. Client UIs (e.g. CTI) can use this to prompt password change before expiry.

API

Endpoint: POST /api/get-password-expiration
Auth: Bearer token (from POST /api/login)

Response example:

{
  "status": "success",
  "message": "password_expiration",
  "expired": false,
  "expiration": "2026-12-21T07:51:25Z",
  "must_change": false
}

Implementation PRs

• ns8-openldap: New API for password expiration information ns8-openldap#137
• ns8-samba: New API for password expiration information ns8-samba#214

[gsanchietti]

Test case 1 — OpenLDAP

• Install OpenLDAP with add-module ghcr.io/nethserver/openldap:2.7.0-dev.5 1
• Execute the script below against the module instance port
• Expected result: response contains expires, expiration_date, days_remaining

Test case 2 — Samba

• Install Samba with add-module ghcr.io/nethserver/samba:3.4.6-dev.2 1
• Execute the script below against the module instance port
• Expected result: response contains expires, expiration_date, days_remaining

---

Adjust PORT to the api-moduled port of the installed module instance, and set valid username/password.

#!/usr/bin/env python3
import json, urllib.request

PORT = 20042  # adjust per module instance

def api(path, token=None, body=None):
    data = json.dumps(body or {}).encode()
    headers = {"Content-Type": "application/json"}
    if token:
        headers["Authorization"] = f"Bearer {token}"
    req = urllib.request.Request(
        f"http://localhost:{PORT}/api/{path}", data=data, headers=headers, method="POST"
    )
    with urllib.request.urlopen(req) as resp:
        return json.loads(resp.read())

resp = api("login", body={"username": "mario", "password": "Mario,1234"})
token = resp["token"]

policy = api("get-password-expiration", token=token)
print(json.dumps(policy, indent=2))

[edospadoni]

Tested on:

• OpenLDAP: ghcr.io/nethserver/openldap:2.7.0-dev.5
• Samba: ghcr.io/nethserver/samba:3.4.6-dev.2

Test case 1 — OpenLDAP ✅

Ran the script against the module's api-moduled port, logged in as a regular user and called get-password-expiration:

{
  "status": "success",
  "message": "password_expiration",
  "expired": false,
  "expiration": "2026-12-21T07:51:25Z",
  "must_change": false
}

Also verified the edge cases:

• user with password never expires → "expiration": null
• the endpoint is reachable with a normal (non-admin) user token

Test case 2 — Samba ✅

Same script against the Samba instance, logged in as a regular AD user:

{
  "status": "success",
  "message": "password_expiration",
  "expired": false,
  "expiration": "2026-12-21T08:36:29.397383Z",
  "must_change": false
}

Also verified the edge cases:

• user with password never expires → "expiration": null
• user with must change password at next logon → "must_change": true

⚠️ Discrepancy: response schema

The issue states the response should contain expires, expiration_date, days_remaining, but the actual implementation (and openapi.yaml in both repos) returns:

Issue (expected)	Actual implementation
expires	expired
expiration_date	expiration
days_remaining	(not present)
—	status, message, must_change

The fields expires, expiration_date, days_remaining are not present in the response. The issue description and the implementation need to be aligned (either update the issue, or change the handlers/openapi to match the documented contract).

[gsanchietti]

The discrepancy was due to an old output inside the issue, I have fixed the description.