Send password expiry warning – Openldap

2 Comments

How to notify users when their password about to expire? The ppolicy overlay working as expected for password expiry rules. But it does not have option of sending password expiry warning to end users.

I have an alternate fix. Created a script which will

  1. Look for users whose password about to expire.
  2. It sends the warning to user mail id (configured in their LDAP profile) at four stages
  3. If the mail id does not exist trigger warning mail to Admin.

How to

  1. Copy the attached script to system.
  2. Replace the below shown variable values with exact value matches your server.

Step1

Copy the script into LDAP server.

Script

#!/bin/bash
ROOTDN="cn=manager,dc=sunt,dc=com"
##Password in encrypted form. If you use some other encryption technology it must be decrypted and assigned##
ROOTPW=`echo cGFzc3dkCg== |openssl enc -base64 -d`
##Max password age in days##
MAXPWDAGE=30
RESTOU=dummy
ADMINMAILID=root@rhel4.sunt.com
USRLST=/backup/unknown_users
cat /dev/null > $USRLST

###Sending mail to user function###
smail() {
MAILID=`ldapsearch -xw $ROOTPW -D $ROOTDN -b $i mail -LLL |grep -i ^mail|awk '{print $2}'`
 if [ -n "$MAILID" ]; then
 echo -e "Please reset your password asap.\nby\nLDAP Admin"|mailx -s "$SUB" $MAILID
 else
 echo "$USERID" >> $USRLST
 fi
}

for i in `ldapsearch -xw $ROOTPW -D $ROOTDN -b dc=sunt,dc=com -LLL "(&(userpassword=*)(pwdchangedtime=*)(!(ou:dn:=$RESTOU)))" dn|awk '{print $2}'`
do
 USERID=`echo $i|awk -F, '($1~uid){print $1}'|awk -F= '{print $2}'`
 PWCGE=`ldapsearch -xw $ROOTPW -D $ROOTDN -b $i -LLL pwdchangedtime|grep -i ^pwdchangedtime|awk '{print $2}'|sed 's/Z//'`
 EXDTE=`echo $PWCGE |cut -c 1-8`
 EXTME=`echo $PWCGE |cut -c 9- |sed 's/.\{2\}/&:/g' |cut -c -8`
 EXSEC=`date -d "$EXDTE $EXTME" +%s`
 CDSEC=`date -u +%s`
 DIFF=`expr \( $CDSEC / 86400 \) - \( $EXSEC / 86400 \)`

 if [ "$DIFF" == `expr $MAXPWDAGE - 3` ]; then
 SUB="User $USERID password expire in 3 days"
 smail
 elif [ "$DIFF" == `expr $MAXPWDAGE - 2` ]; then
 SUB="User $USERID password expire in 2 days"
 smail
 elif [ "$DIFF" == `expr $MAXPWDAGE - 1` ]; then
 SUB="User $USERID password expire in 1 day"
 smail
 elif [ "$DIFF" == "$MAXPWDAGE" ]; then
 SUB="$USERID password will expire today at $EXTME UTC"
 smail
 fi
 unset USERID PWCGE EXDTE EXTME EXSEC CDSEC DIFF i
done

###Send mail to Admin with non mail-id users###
 if [ -s "$USRLST" ]; then
 echo -e "Listed users mail id not available in LDAP directory. Please notify them to reset password asap.\n\n`cat $USRLST`\n\nby\nLDAP Admin"|mailx -s "password going to expire users list" $ADMINMAILID
 fi

Variables

Edit script and insert values. All these variables are mandatory.

ROOTDN=”your root dn or dn which has write access”

ROOTPW=”Your root dn password”

Note: You can specify encrypted password. Do encrypt password using “#echo passwd |openssl enc -base64 –e”

MAXPWDAGE=”The maximum password age”

Note: The MAXPWDAGE will not alter any password settings. It is used only to send warnings. The pwdMaxage defined in ppolicy will have the control of managing password expiry.

RESTOU=”dummy” (This variable should not be blank)

Note: It is used to exclude searching of users from specific organizational unit (OU). It can take only one OU name. If you are not sure please put some “dummy” value.

ADMINMAILID=”Admin mail id’s. Comma separated”

Note: If user mail id not available, mails will be sent to these ids.

Stop & Note

The LDAP server should be able to send mails for this script to work as expected. It uses “mailx” command to send mails. If it not supported script must be modified accordingly.

Step2

Schedule a cron job under root user as per your convenient. Preferred is to check once in a day.

#crontab -e
00 12 * * *  /bin/bash /root/pwdex.sh

What the script does?

Users receive four warning mails to their inbox. First one will be three days before password expiry. Second one will be before two days. Third one will be before one day. Fourth one will be on same day of password getting expired.

Any Feedback, comments, suggestions please post here.

2 thoughts on “Send password expiry warning – Openldap

    1. Hi Mehmet,

      You no need to edit USRLAST variable. Update values of variable ROOTDN, ROOTPW, MAXPWDAGE and ADMINMAILID. It should be more than enough. Because these values vary for each LDAP environment.

      /backup/unknown_users file has the list of users who does not have mail id’s in LDAP directory. Without mail id, how you notify end user? Since script will send one mail to admin with such list of users. Admin can take action accordingly.

Leave a Reply

Your email address will not be published. Required fields are marked *