174 | | exit 0}}} |
| 174 | exit 0 |
| 175 | }}} |
| 176 | |
| 177 | '''The Script Requirements''' |
| 178 | |
| 179 | As outlined on the LTB page, the script requires; |
| 180 | |
| 181 | - gawk (GNU awk) (which gawk) |
| 182 | - ldapsearch (which ldapsearch) |
| 183 | - mailx (provides mail command, which mailx) |
| 184 | - date (which date) |
| 185 | |
| 186 | which utility enables you to check if the command is installed and the full path to its location. |
| 187 | |
| 188 | '''The Script Variables''' |
| 189 | |
| 190 | Also, update the following variables on the script accordingly. |
| 191 | |
| 192 | - MY_LDAP_HOSTURI: LDAP URI |
| 193 | - MY_LDAP_ROOTDN (optional): DN to use to bind. No DN means anonymous |
| 194 | - MY_LDAP_ROOTPW: Password |
| 195 | - MY_LDAP_DEFAULTPWDPOLICYDN: Default password policy DN. Do not set if no default policy is used. In this case, the script will only affect users with password policy in their entry (pwdPolicySubentry) |
| 196 | - MY_LDAP_SEARCHBASE: Users search base |
| 197 | - MY_LDAP_SEARCHFILTER: Users search filter |
| 198 | - MY_LDAP_SEARCHBIN: Path to ldapsearch binary |
| 199 | - MY_MAIL_DELAY: Time before expiration where a mail is sent. No mail sent after expiration. If no value, the script will take the pwdExpireWarning of the password policy |
| 200 | - MY_LDAP_NAME_ATTR: attribute containing user’s name |
| 201 | - MY_LDAP_LOGIN_ATTR: attribute containing user’s login |
| 202 | - MY_LDAP_MAIL_ATTR:attribute containing user’s name |
| 203 | - MY_MAIL_BODY: message body |
| 204 | - MY_MAIL_SUBJECT: message subject |
| 205 | - MY_MAIL_BIN: mail binary |
| 206 | - MY_LOG_HEADER: log header |
| 207 | - MY_GAWK_BIN: path to gawk binary |
| 208 | |
| 209 | '''Sample LDAP User entry''' |
| 210 | |
| 211 | Below is our sample OpenLDAP user entry. Note the following attributes; |
| 212 | |
| 213 | - MY_LDAP_NAME_ATTR=cn |
| 214 | - MY_LDAP_LOGIN_ATTR=uid |
| 215 | - MY_LDAP_MAIL_ATTR=mail |
| 216 | |
| 217 | {{{ |
| 218 | ldapsearch -Y EXTERNAL -H ldapi:/// -s one -b "ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" -LLL -Q uid=janedoe |
| 219 | }}} |
| 220 | |
| 221 | {{{ |
| 222 | dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com |
| 223 | objectClass: inetOrgPerson |
| 224 | objectClass: posixAccount |
| 225 | objectClass: shadowAccount |
| 226 | objectClass: extensibleObject |
| 227 | uid: janedoe |
| 228 | cn: Jane |
| 229 | sn: Doe |
| 230 | loginShell: /bin/bash |
| 231 | uidNumber: 10010 |
| 232 | gidNumber: 10010 |
| 233 | homeDirectory: /home/janedoe |
| 234 | shadowMax: 60 |
| 235 | shadowMin: 1 |
| 236 | shadowWarning: 7 |
| 237 | shadowInactive: 7 |
| 238 | shadowLastChange: 0 |
| 239 | userPassword:: e1NTSEF9dmczUGpBa0EybUtOanJ4QWc1dWN5d20wNnlmOGg4cE8= |
| 240 | mail: janedoe@kifarunix-demo.com |
| 241 | }}} |
| 242 | |
| 243 | '''Testing the LDAP Password Expiration Notification Script''' |
| 244 | |
| 245 | To check the script can get us what is expected of it, simply execute it on the LDAP server as follows; |
| 246 | |
| 247 | {{{ |
| 248 | bash checkLdapPwdExpiration.sh |
| 249 | }}} |
| 250 | |
| 251 | Our script writes output to, /tmp/ldap-password-stats, file. |
| 252 | |
| 253 | {{{ |
| 254 | cat /tmp/ldap-password-stats |
| 255 | }}} |
| 256 | |
| 257 | {{{ |
| 258 | Hello Admin, |
| 259 | Find the LDAP users account password expiry status as Jun 13,2020 21:19:18. |
| 260 | |
| 261 | Password warning for janedoe (expiry date, Thursday 18, June 2020 at 11:12:37). Mail sent to janedoe@kifarunix-demo.com |
| 262 | Password expired for koromicha on Friday 08, May 2020 at 21:34:02. Mail sent to koromicha@kifarunix-demo.com |
| 263 | No password change date for johndoe (johndoe@kifarunix-demo.com) |
| 264 | |
| 265 | ===== Statistics ===== |
| 266 | Total User Accounts checked: 4 |
| 267 | Accounts with Expired Passwords: 1 |
| 268 | Accounts with Passwords in Warning state: 1 |
| 269 | }}} |
| 270 | |
| 271 | From the output above, we can see that; |
| 272 | |
| 273 | - A total of fours users, in the directory, were checked. |
| 274 | - Password for user koromicha, has expired on Friday 08, May 2020 at 21:34:02. Notification email sent to user. |
| 275 | - Password for the user, janedoe, will expire on Thursday 18, June 2020 at 11:12:37. Notification email sent to user. |
| 276 | - No password change date for johndoe (johndoe@kifarunix-demo.com) |
| 277 | |
| 278 | Since we do not have any mail utility installed, you may get such an output; |
| 279 | |
| 280 | {{{ |
| 281 | mail: command not found |
| 282 | }}} |
| 283 | |
| 284 | '''Configure your LDAP Server to Send Mails''' |
| 285 | |
| 286 | In order for your OpenLDAP server to be able to send mails out, you need to have an MTA installed and configured. If you noticed above, the script tried use sendmail. In this demo, we will be using postfix instead. |
| 287 | |
| 288 | {{{ |
| 289 | sudo apt install postfix |
| 290 | }}} |
| 291 | |
| 292 | {{{ |
| 293 | vim /etc/postfix/main.cf |
| 294 | }}} |
| 295 | |
| 296 | Make the following adjustments; |
| 297 | |
| 298 | {{{ |
| 299 | myhostname = ldap.kifarunix-demo.com |
| 300 | inet_protocols = ipv4 (or all) |
| 301 | relayhost = [smtp.gmail.com]:587 |
| 302 | smtp_use_tls = yes |
| 303 | smtp_sasl_auth_enable |
| 304 | smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd |
| 305 | smtp_sasl_security_options = noanonymous |
| 306 | }}} |
| 307 | |
| 308 | Save and exit the configuration. |
| 309 | |
| 310 | Enter the authentication credentials on the file, /etc/postfix/sasl_passwd in the format; |
| 311 | |
| 312 | {{{ |
| 313 | [smtp.gmail.com]:587 userid@gmail:password |
| 314 | }}} |
| 315 | |
| 316 | Hash the credentials file. |
| 317 | |
| 318 | {{{ |
| 319 | postmap /etc/postfix/sasl_passwd |
| 320 | }}} |
| 321 | |
| 322 | Set the proper permissions on the credentials file, |
| 323 | |
| 324 | {{{ |
| 325 | chown root:postfix /etc/postfix/sasl_passwd* |
| 326 | chmod 640 /etc/postfix/sasl_passwd* |
| 327 | }}} |
| 328 | |
| 329 | Start the Postfix configuration. |
| 330 | |
| 331 | {{{ |
| 332 | systemctl enable --now postfix |
| 333 | }}} |
| 334 | |
| 335 | '''Test Email Delivery''' |
| 336 | |
| 337 | {{{ |
| 338 | echo "Test Postfix gmail relay" | mail -s "Test postfix gmail relay" admin@kifarunix-demo.com |
| 339 | }}} |
| 340 | |
| 341 | Check the logs. |
| 342 | |
| 343 | {{{ |
| 344 | tail /var/log/maillog |
| 345 | }}} |
| 346 | |
| 347 | If you see this line, all is well; |
| 348 | |
| 349 | {{{ |
| 350 | ...to=admin@kifarunix-demo.com, relay=smtp.gmail.com[74.125.133.108]:587, ...status=sent (250 2.0.0 OK .. |
| 351 | }}} |
| 352 | |
| 353 | Once the email relay configuration is done, rerun the script. |
| 354 | |
| 355 | {{{ |
| 356 | bash checkLdapPwdExpiration.sh |
| 357 | }}} |
| 358 | |
| 359 | Check the administrator inbox, which in this demo is set to, admin@kifarunix-demo.com, and the inbox for the user whose password is in warning state, janedoe@kifarunix-demo.com. |
| 360 | |
| 361 | On Admin Mailbox, this is the email from LDAP; |
| 362 | |
| 363 | {{{ |
| 364 | Subject: LDAP Password Expiration Status |
| 365 | |
| 366 | Hello Admin, |
| 367 | Find the LDAP users account password expiry status as Jun 13,2020 21:31:11. |
| 368 | |
| 369 | Password warning for janedoe (expiry date, Thursday 18, June 2020 at 11:12:37). Mail sent to janedoe@kifarunix-demo.com |
| 370 | Password expired for koromicha on Friday 08, May 2020 at 21:34:02. Mail sent to koromicha@kifarunix-demo.com |
| 371 | No password change date for johndoe (johndoe@kifarunix-demo.com) |
| 372 | |
| 373 | ===== Statistics ===== |
| 374 | Total User Accounts checked: 4 |
| 375 | Accounts with Expired Passwords: 1 |
| 376 | Accounts with Passwords in Warning state: 1 |
| 377 | }}} |
| 378 | |
| 379 | On the User’s inbox (Janedoe and Koromicha in this case); |
| 380 | |
| 381 | {{{ |
| 382 | Subject: LDAP Account Password Expiry Status |
| 383 | |
| 384 | Hi jane, |
| 385 | |
| 386 | Your password will expire in 4 days on Thursday 18, June 2020 at 11:12:37. |
| 387 | |
| 388 | Visit Kifarunix-demo Self Service Password site, https://ldap-ssp.kifarunix-demo.com to reset your password. |
| 389 | |
| 390 | As a reminder, ensure that your password conforms to the company outlined password policies. |
| 391 | |
| 392 | Kifarunix-demo IT team, |
| 393 | Regards. |
| 394 | }}} |
| 395 | |
| 396 | {{{ |
| 397 | Subject: LDAP Account Password Expiry Status |
| 398 | |
| 399 | Hi koromicha, |
| 400 | |
| 401 | Your password expired on Friday 08, May 2020 at 21:34:02. |
| 402 | |
| 403 | Kindly contact Kifarunix-demo IT team to help reset the password. |
| 404 | |
| 405 | Kifarunix-demo IT team, |
| 406 | Regards. |
| 407 | }}} |
| 408 | |
| 409 | And there you go. You are now receiving the status of the LDAP accounts password expiry as the administrator. At the same time, users whose passwords are yet to expire are notified via their respective emails as defined on their LDAP entries. We hope that was informative. |
| 410 | |
| 411 | '''Create Daily Cron Job for the Script''' |
| 412 | |
| 413 | To ensure that the script is executed regularly, all you need to do is to create a cron job to execute the script at a specific regular time and have the LDAP accounts passwords status sent to users. |
| 414 | |
| 415 | Before you can install a cron job, ensure that the script is executable. |
| 416 | |
| 417 | {{{ |
| 418 | chmod +x /home/kifarunix/checkLdapPwdExpiration.sh |
| 419 | }}} |
| 420 | |
| 421 | To install a cron job, run the command below; |
| 422 | |
| 423 | {{{ |
| 424 | crontab -e |
| 425 | }}} |
| 426 | |
| 427 | Enter the line below, to have the script executed every day from Monday-Friday at 0800 hrs. |
| 428 | |
| 429 | {{{ |
| 430 | 0 8 * * 1-5 /home/kifarunix/checkLdapPwdExpiration.sh |
| 431 | }}} |
| 432 | |
| 433 | That marks the end of our guide on how to send OpenLDAP password expiry notifications via email. |
| 434 | |