How to notify users when their password about to expire? The ppolicy overlay working as expected for password expiry rules. But it does not have option of sending password expiry warning to end users.
I have an alternate fix. Created a script which will
- Look for users whose password about to expire.
- It sends the warning to user mail id (configured in their LDAP profile) at four stages
- If the mail id does not exist trigger warning mail to Admin.
How to
- Copy the attached script to system.
- Replace the below shown variable values with exact value matches your server.
Step1
Copy the script into LDAP server.
Script
#!/bin/bash ROOTDN="cn=manager,dc=sunt,dc=com" ##Password in encoded form. If you use some other encryption technology it must be decrypted and assigned## ROOTPW=`echo cGFzc3dkCg== |openssl enc -base64 -d` ##Max password age in days## MAXPWDAGE=30 RESTOU=dummy ADMINMAILID=root@rhel4.sunt.com USRLST=/backup/unknown_users cat /dev/null > $USRLST ###Sending mail to user function### smail() { MAILID=`ldapsearch -xw $ROOTPW -D $ROOTDN -b $i mail -LLL |grep -i ^mail|awk '{print $2}'` if [ -n "$MAILID" ]; then echo -e "Please reset your password asap.\nby\nLDAP Admin"|mailx -s "$SUB" $MAILID else echo "$USERID" >> $USRLST fi } for i in `ldapsearch -xw $ROOTPW -D $ROOTDN -b dc=sunt,dc=com -LLL "(&(userpassword=*)(pwdchangedtime=*)(!(ou:dn:=$RESTOU)))" dn|awk '{print $2}'` do USERID=`echo $i|awk -F, '($1~uid){print $1}'|awk -F= '{print $2}'` PWCGE=`ldapsearch -xw $ROOTPW -D $ROOTDN -b $i -LLL pwdchangedtime|grep -i ^pwdchangedtime|awk '{print $2}'|sed 's/Z//'` EXDTE=`echo $PWCGE |cut -c 1-8` EXTME=`echo $PWCGE |cut -c 9- |sed 's/.\{2\}/&:/g' |cut -c -8` EXSEC=`date -d "$EXDTE $EXTME" +%s` CDSEC=`date -u +%s` DIFF=`expr \( $CDSEC / 86400 \) - \( $EXSEC / 86400 \)` if [ "$DIFF" == `expr $MAXPWDAGE - 3` ]; then SUB="User $USERID password expire in 3 days" smail elif [ "$DIFF" == `expr $MAXPWDAGE - 2` ]; then SUB="User $USERID password expire in 2 days" smail elif [ "$DIFF" == `expr $MAXPWDAGE - 1` ]; then SUB="User $USERID password expire in 1 day" smail elif [ "$DIFF" == "$MAXPWDAGE" ]; then SUB="$USERID password will expire today at $EXTME UTC" smail fi unset USERID PWCGE EXDTE EXTME EXSEC CDSEC DIFF i done ###Send mail to Admin with non mail-id users### if [ -s "$USRLST" ]; then echo -e "Listed users mail id not available in LDAP directory. Please notify them to reset password asap.\n\n`cat $USRLST`\n\nby\nLDAP Admin"|mailx -s "password going to expire users list" $ADMINMAILID fi
Variables
Edit script and insert values. All these variables are mandatory.
ROOTDN=”your root dn or dn which has write access”
ROOTPW=”Your root dn password”
Note: You can specify password as encoded string. Do encode actual password using “#echo passwd |openssl enc -base64 –e”
MAXPWDAGE=”The maximum password age”
Note: The MAXPWDAGE will not alter any password settings. It is used only to send warnings. The pwdMaxage defined in ppolicy will have the control of managing password expiry.
RESTOU=”dummy” (This variable should not be blank)
Note: It is used to exclude searching of users from specific organizational unit (OU). It can take only one OU name. If you are not sure please put some “dummy” value.
ADMINMAILID=”Admin mail id’s. Comma separated”
Note: If user mail id not available, mails will be sent to these ids.
Stop & Note
The LDAP server should be able to send mails for this script to work as expected. It uses “mailx” command to send mails. If it not supported script must be modified accordingly.
Step2
Schedule a cron job under root user as per your convenient. Preferred is to check once in a day.
#crontab -e 00 12 * * * /bin/bash /root/pwdex.sh
What the script does?
Users receive four warning mails to their inbox. First one will be three days before password expiry. Second one will be before two days. Third one will be before one day. Fourth one will be on same day of password getting expired.
Any Feedback, comments, suggestions please post here.
Hi
I was copy that script and edit it, but it isn’t working.What I will write USR LAST=/backup/unknown users file
Hi Mehmet,
You no need to edit USRLAST variable. Update values of variable ROOTDN, ROOTPW, MAXPWDAGE and ADMINMAILID. It should be more than enough. Because these values vary for each LDAP environment.
/backup/unknown_users file has the list of users who does not have mail id’s in LDAP directory. Without mail id, how you notify end user? Since script will send one mail to admin with such list of users. Admin can take action accordingly.
Hello, thank you all for the info. I’m new to the LDAP and wondering where do we place the script into and under which folder? Thank you!!
Hello Lee,
Apologies for delay, Hope you would have find solution. Still posting the response, so it may help some others. Script location does not matter. Place it wherever you want. But configure cronjob accordingly.
Thanks.
The great service in this blog and the nice technology is visible in this blog. I am really very happy for the nice approach.
I enjoy the article
Very great post. I just stumbled upon your blog and
wanted to say that I have really enjoyed surfing around your blog posts.
After all I will be subscribing to your feed and I am hoping you
write again soon!
While this is incredibly useful, I strongly warn users that the “encryption” used is not encryption, it’s just encoding. Storing the encoded password in this script is the same as storing the cleartext of the password. You must be willing to accept that risk and take necessary measures to protect the privacy/readability of this script if you opt to use it. Alternatively consider breaking the password out into another file, setting it to be only readable by the user running the script. Then source or otherwise parse that file. E.g.
echo PASSWORD=mypassword > privatefile.conf
chmod 600 privatefile.conf
#then in the script:
source privatefile.conf
echo $PASSWORD
Agree with you, but do not suggest to store password as plain text. Instead can store encoded string in a file and then parse & decode inside script.
Thanks for highlighting, Appreciate it.