Context Navigation

← Previous Change
Wiki History
Next Change →

Changes between Initial Version and Version 1 of campuswifiandeduroam2023Agenda/pwden

Timestamp:: Jul 24, 2024, 5:05:45 PM (4 months ago)
Author:: tuwan
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

campuswifiandeduroam2023Agenda/pwden

               v1
+===Configure OpenLDAP Password Expiry Email Notification===
+This tutorial will provide some basics steps to take to configure OpenLDAP to send out notifications via email to users mailbox informing them about the password expiration also system admins.
+The Script can be found at [https://github.com/ltb-project/ldap-scripts here]
+{{{
+grep -Ev "^\s[#\;]|^\s$|^#" checkLdapPwdExpiration.sh
+}}}
+{{{
+MY_LDAP_HOSTURI="ldapi:///"
+MY_LDAP_DEFAULTPWDPOLICYDN="cn=default,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com"
+MY_LDAP_SEARCHBASE="ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"
+MY_LDAP_SEARCHFILTER="(&(uid=*)(objectClass=inetOrgPerson))"
+MY_LDAP_SEARCHSCOPE="one"
+MY_LDAP_SEARCHBIN="/usr/bin/ldapsearch"
+MY_LDAP_NAME_ATTR=cn
+MY_LDAP_LOGIN_ATTR=uid
+MY_LDAP_MAIL_ATTR=mail
+export LC_ALL=en_US.UTF-8
+MY_MAIL_BODY="Hi %name,\n\n \
+        Your password will expire in %expireDays days on %expireTimeTZ.\n\n \
+        Visit Kifarunix-demo Self Service Password site, https://ldap-ssp.kifarunix-demo.com to reset your password.\n\n \
+        As a reminder, ensure that your password conforms to the company outlined password policies.\n\n \
+        Kifarunix-demo IT team,\n
+        Regards."
+EX_MAIL_BODY="Hi %name,\n\n \
+        Your password expired on %expireTimeTZ.\n\n \
+        Kindly contact Kifarunix-demo IT team to help reset the password.\n\n \
+        Kifarunix-demo IT team,\n
+        Regards."
+MY_MAIL_SUBJECT="LDAP Account Password Expiry Status"
+MY_MAIL_BIN="mail"
+MY_LOG_HEADER="`date +\"%b %e,%Y %T\"`"
+MY_GAWK_BIN="/usr/bin/gawk"
+getTimeInSeconds() {
+        date=0
+        os=`uname -s`
+        if [ "$1" ]; then
+                date=`${MY_GAWK_BIN} 'BEGIN  { \
+                        if (ARGC == 2) { \
+                                print mktime(ARGV[1]) \
+                        } \
+                        exit 0 }' "$1"`
+        else
+                if [ "${os}" = "SunOS" ]; then
+                        date=`/usr/bin/truss /usr/bin/date 2>&1 | nawk -F= \
+                                '/^time\(\)/ {gsub(/ /,"",$2);print $2}'`
+                else
+                        now=`date +"%Y %m %d %H %M %S" -u`
+                        date=`getTimeInSeconds "$now"`
+                fi
+        fi
+        echo ${date}
+}
+tmp_dir="/tmp/$$.checkldap.tmp"
+result_file="${tmp_dir}/res.tmp.1"
+buffer_file="${tmp_dir}/buf.tmp.1"
+tmp_dir_stats="/tmp/ldap-password-stats"
+ldap_param="-Y EXTERNAL -H ${MY_LDAP_HOSTURI} -LLL -Q"
+nb_users=0
+nb_expired_users=0
+nb_warning_users=0
+if [ -d ${tmp_dir} ]; then
+        echo "Error : temporary directory exists (${tmp_dir})"
+        exit 1
+fi
+mkdir ${tmp_dir}
+if [ ${MY_LDAP_ROOTDN} ]; then
+        ldap_param="${ldap_param} -D ${MY_LDAP_ROOTDN} -w ${MY_LDAP_ROOTPW}"
+fi
+${MY_LDAP_SEARCHBIN} ${ldap_param} -s ${MY_LDAP_SEARCHSCOPE} \
+        -b "${MY_LDAP_SEARCHBASE}" "${MY_LDAP_SEARCHFILTER}" \
+        "dn" > ${result_file}
+while read dnStr
+do
+        if [ ! "${dnStr}" ]; then
+                continue
+        fi
+        dn=`echo ${dnStr} | cut -d : -f 2`
+        nb_users=`expr ${nb_users} + 1`
+        ${MY_LDAP_SEARCHBIN} ${ldap_param} -s base -b "${dn}" \
+                ${MY_LDAP_NAME_ATTR} ${MY_LDAP_LOGIN_ATTR} ${MY_LDAP_MAIL_ATTR} pwdChangedTime pwdPolicySubentry \
+                > ${buffer_file}
+        login=`grep -w "${MY_LDAP_LOGIN_ATTR}:" ${buffer_file} | cut -d : -f 2 \
+                | sed "s/^ *//;s/ *$//"`
+        name=`grep -w "${MY_LDAP_NAME_ATTR}:" ${buffer_file} | cut -d : -f 2\
+                | sed "s/^ *//;s/ *$//"`
+        mail=`grep -w "${MY_LDAP_MAIL_ATTR}:" ${buffer_file} | cut -d : -f 2 \
+                | sed "s/^ *//;s/ *$//"`
+        pwdChangedTime=`grep -w "pwdChangedTime:" ${buffer_file} \
+                | cut -d : -f 2 | cut -c 1-15 | sed "s/^ *//;s/ *$//"`
+        pwdPolicySubentry=`grep -w "pwdPolicySubentry:" ${buffer_file} \
+                | cut -d : -f 2 | sed "s/^ *//;s/ *$//"`
+        if [ ! "${pwdChangedTime}" ]; then
+                echo "No password change date for ${login} (${mail})" >> ${tmp_dir_stats}
+                continue
+        fi
+        if [ ! "${pwdPolicySubentry}" -a ! "${MY_LDAP_DEFAULTPWDPOLICYDN}" ]; then
+                echo "No password policy for ${login} (${mail})" >> ${tmp_dir_stats}
+                continue
+        fi
+        ldap_search="${MY_LDAP_SEARCHBIN} ${ldap_param} -s base"
+        if [ "${pwdPolicySubentry}" ]; then
+                ldap_search="${ldap_search} -b ${pwdPolicySubentry}"
+        else
+                ldap_search="${ldap_search} -b ${MY_LDAP_DEFAULTPWDPOLICYDN}"
+        fi
+        ldap_search="$ldap_search pwdMaxAge pwdExpireWarning pwdMinLength pwdInHistory"
+        pwdMaxAge=`${ldap_search} | grep -w "pwdMaxAge:" | cut -d : -f 2 \
+                | sed "s/^ *//;s/ *$//"`
+        pwdExpireWarning=`${ldap_search} | grep -w "pwdExpireWarning:" | cut -d : -f 2 \
+                | sed "s/^ *//;s/ *$//"`
+        pwdMinLength=`${ldap_search} | grep -w "pwdMinLength:" | cut -d : -f 2 \
+                | sed "s/^ *//;s/ *$//"`
+        pwdInHistory=`${ldap_search} | grep -w "pwdInHistory:" | cut -d : -f 2 \
+                | sed "s/^ *//;s/ *$//"`
+        if [ ! "${pwdMaxAge}" ]; then
+                echo "No password expiration configured for ${login} (${mail})" >> ${tmp_dir_stats}
+                continue
+        fi
+        MY_MAIL_DELAY=${MY_MAIL_DELAY:=$pwdExpireWarning}
+        if [ "${pwdChangedTime}" ]; then
+                s=`echo ${pwdChangedTime} | cut -c 13-14`
+                m=`echo ${pwdChangedTime} | cut -c 11-12`
+                h=`echo ${pwdChangedTime} | cut -c 9-10`
+                d=`echo ${pwdChangedTime} | cut -c 7-8`
+                M=`echo ${pwdChangedTime} | cut -c 5-6`
+                y=`echo ${pwdChangedTime} | cut -c 1-4`
+                currentTime=`getTimeInSeconds`
+                pwdChangedTime=`getTimeInSeconds "$y $M $d $h $m $s"`
+                diffTime=`expr ${currentTime} - ${pwdChangedTime}`
+        fi
+        expireTime=`expr ${pwdChangedTime} + ${pwdMaxAge}`
+        if [ ${currentTime} -gt ${expireTime} ]; then
+                nb_expired_users=`expr ${nb_expired_users} + 1`
+                expireTime=`date -d @$expireTime "+%A %d, %B %Y at %T"`
+                logmsg="${EX_MAIL_BODY}"
+                logmsg=`echo -e ${logmsg} | sed "s/%name/${name}/; \
+                        s/%login/${login}/; s/%expireTimeTZ/${expireTime}/; s/%pwdMinLength/${pwdMinLength}/; s/%pwdInHistory/${pwdInHistory}/; \
+                        s/%expireDays/${expireDays}/"`
+                echo "${logmsg}" | ${MY_MAIL_BIN} -s "${MY_MAIL_SUBJECT}" ${mail} >&2
+                echo "Password expired for ${login} on ${expireTime}. Mail sent to ${mail}" >> ${tmp_dir_stats}
+                continue
+        fi
+        expireTimeTZ=`date -d @$expireTime "+%A %d, %B %Y at %T"`
+        expireTimeMail=`date -d @$expireTime "+%s"`
+        now=`date +%s`
+        expireDays=`echo $(( (${expireTimeMail} - ${now} )/(60*60*24) ))`
+        if [ "${mail}" -a "${name}" \
+                -a "${login}" -a "${diffTime}" -a "${pwdMaxAge}" ]
+        then
+                diffTime=`expr ${diffTime} + ${MY_MAIL_DELAY}`
+                if [ ${diffTime} -gt ${pwdMaxAge} ]; then
+                        logmsg="${MY_MAIL_BODY}"
+                        logmsg=`echo -e ${logmsg} | sed "s/%name/${name}/; \
+                                s/%login/${login}/; s/%expireTimeTZ/${expireTimeTZ}/; s/%pwdMinLength/${pwdMinLength}/; s/%pwdInHistory/${pwdInHistory}/; \
+                                s/%expireDays/${expireDays}/"`
+                        echo "${logmsg}" | ${MY_MAIL_BIN} -s "${MY_MAIL_SUBJECT}" ${mail} >&2
+                        echo "Password warning for ${login} (expiry date, ${expireTimeTZ}). Mail sent to ${mail}" >> ${tmp_dir_stats}
+                        nb_warning_users=`expr ${nb_warning_users} + 1`
+                fi
+        fi
+done < ${result_file}
+sed -i "1iHello Admin,\nFind the LDAP users account password expiry status as at ${MY_LOG_HEADER}.\n" ${tmp_dir_stats}
+echo "Total User Accounts checked: ${nb_users}" >> ${tmp_dir_stats}
+echo "Accounts with Expired Passwords: ${nb_expired_users}" >> ${tmp_dir_stats}
+echo "Accounts with Passwords in Warning state: ${nb_warning_users}" >> ${tmp_dir_stats}
+sed -i -e '/^Total.*/i\\ ' -e '/^Total.*/i ===== Statistics =====' ${tmp_dir_stats}
+mail -s "LDAP Password Expiration Status" kifaunix@gmail.com < ${tmp_dir_stats}
+rm -rf ${tmp_dir}
+rm -rf ${tmp_dir_stats}
+exit 0}}}