Send password expiry warning – Openldap

How to notify users when their password about to expire? The ppolicy overlay working as expected for password expiry rules. But it does not have option of sending password expiry warning to end users.

I have an alternate fix. Created a script which will

  1. Look for users whose password about to expire.
  2. It sends the warning to user mail id (configured in their LDAP profile) at four stages
  3. If the mail id does not exist trigger warning mail to Admin.

How to

  1. Copy the attached script to system.
  2. Replace the below shown variable values with exact value matches your server.

Step1

Copy the script into LDAP server.

Script

#!/bin/bash
ROOTDN="cn=manager,dc=sunt,dc=com"
##Password in encoded form. If you use some other encryption technology it must be decrypted and assigned##
ROOTPW=`echo cGFzc3dkCg== |openssl enc -base64 -d`
##Max password age in days##
MAXPWDAGE=30
RESTOU=dummy
ADMINMAILID=root@rhel4.sunt.com
USRLST=/backup/unknown_users
cat /dev/null > $USRLST

###Sending mail to user function###
smail() {
MAILID=`ldapsearch -xw $ROOTPW -D $ROOTDN -b $i mail -LLL |grep -i ^mail|awk '{print $2}'`
 if [ -n "$MAILID" ]; then
 echo -e "Please reset your password asap.\nby\nLDAP Admin"|mailx -s "$SUB" $MAILID
 else
 echo "$USERID" >> $USRLST
 fi
}

for i in `ldapsearch -xw $ROOTPW -D $ROOTDN -b dc=sunt,dc=com -LLL "(&(userpassword=*)(pwdchangedtime=*)(!(ou:dn:=$RESTOU)))" dn|awk '{print $2}'`
do
 USERID=`echo $i|awk -F, '($1~uid){print $1}'|awk -F= '{print $2}'`
 PWCGE=`ldapsearch -xw $ROOTPW -D $ROOTDN -b $i -LLL pwdchangedtime|grep -i ^pwdchangedtime|awk '{print $2}'|sed 's/Z//'`
 EXDTE=`echo $PWCGE |cut -c 1-8`
 EXTME=`echo $PWCGE |cut -c 9- |sed 's/.\{2\}/&:/g' |cut -c -8`
 EXSEC=`date -d "$EXDTE $EXTME" +%s`
 CDSEC=`date -u +%s`
 DIFF=`expr \( $CDSEC / 86400 \) - \( $EXSEC / 86400 \)`

 if [ "$DIFF" == `expr $MAXPWDAGE - 3` ]; then
 SUB="User $USERID password expire in 3 days"
 smail
 elif [ "$DIFF" == `expr $MAXPWDAGE - 2` ]; then
 SUB="User $USERID password expire in 2 days"
 smail
 elif [ "$DIFF" == `expr $MAXPWDAGE - 1` ]; then
 SUB="User $USERID password expire in 1 day"
 smail
 elif [ "$DIFF" == "$MAXPWDAGE" ]; then
 SUB="$USERID password will expire today at $EXTME UTC"
 smail
 fi
 unset USERID PWCGE EXDTE EXTME EXSEC CDSEC DIFF i
done

###Send mail to Admin with non mail-id users###
 if [ -s "$USRLST" ]; then
 echo -e "Listed users mail id not available in LDAP directory. Please notify them to reset password asap.\n\n`cat $USRLST`\n\nby\nLDAP Admin"|mailx -s "password going to expire users list" $ADMINMAILID
 fi

Variables

Edit script and insert values. All these variables are mandatory.

ROOTDN=”your root dn or dn which has write access”

ROOTPW=”Your root dn password”

Note: You can specify password as encoded string. Do encode actual password using “#echo passwd |openssl enc -base64 –e”

MAXPWDAGE=”The maximum password age”

Note: The MAXPWDAGE will not alter any password settings. It is used only to send warnings. The pwdMaxage defined in ppolicy will have the control of managing password expiry.

RESTOU=”dummy” (This variable should not be blank)

Note: It is used to exclude searching of users from specific organizational unit (OU). It can take only one OU name. If you are not sure please put some “dummy” value.

ADMINMAILID=”Admin mail id’s. Comma separated”

Note: If user mail id not available, mails will be sent to these ids.

Stop & Note

The LDAP server should be able to send mails for this script to work as expected. It uses “mailx” command to send mails. If it not supported script must be modified accordingly.

Step2

Schedule a cron job under root user as per your convenient. Preferred is to check once in a day.

#crontab -e
00 12 * * *  /bin/bash /root/pwdex.sh

What the script does?

Users receive four warning mails to their inbox. First one will be three days before password expiry. Second one will be before two days. Third one will be before one day. Fourth one will be on same day of password getting expired.

Any Feedback, comments, suggestions please post here.

9 thoughts on “Send password expiry warning – Openldap

    1. Hi Mehmet,

      You no need to edit USRLAST variable. Update values of variable ROOTDN, ROOTPW, MAXPWDAGE and ADMINMAILID. It should be more than enough. Because these values vary for each LDAP environment.

      /backup/unknown_users file has the list of users who does not have mail id’s in LDAP directory. Without mail id, how you notify end user? Since script will send one mail to admin with such list of users. Admin can take action accordingly.

  1. Hello, thank you all for the info. I’m new to the LDAP and wondering where do we place the script into and under which folder? Thank you!!

    1. Hello Lee,

      Apologies for delay, Hope you would have find solution. Still posting the response, so it may help some others. Script location does not matter. Place it wherever you want. But configure cronjob accordingly.

      Thanks.

  2. Very great post. I just stumbled upon your blog and
    wanted to say that I have really enjoyed surfing around your blog posts.
    After all I will be subscribing to your feed and I am hoping you
    write again soon!

  3. While this is incredibly useful, I strongly warn users that the “encryption” used is not encryption, it’s just encoding. Storing the encoded password in this script is the same as storing the cleartext of the password. You must be willing to accept that risk and take necessary measures to protect the privacy/readability of this script if you opt to use it. Alternatively consider breaking the password out into another file, setting it to be only readable by the user running the script. Then source or otherwise parse that file. E.g.
    echo PASSWORD=mypassword > privatefile.conf
    chmod 600 privatefile.conf
    #then in the script:
    source privatefile.conf
    echo $PASSWORD

    1. Agree with you, but do not suggest to store password as plain text. Instead can store encoded string in a file and then parse & decode inside script.

      Thanks for highlighting, Appreciate it.

Leave a Reply

Your email address will not be published. Required fields are marked *