Changes between Version 1 and Version 2 of campuswifiandeduroam2023Agenda/pwden


Ignore:
Timestamp:
Jul 24, 2024, 5:19:27 PM (4 months ago)
Author:
tuwan
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • campuswifiandeduroam2023Agenda/pwden

    v1 v2  
    172172rm -rf ${tmp_dir}
    173173rm -rf ${tmp_dir_stats}
    174 exit 0}}}
     174exit 0
     175}}}
     176
     177'''The Script Requirements'''
     178
     179As outlined on the LTB page, the script requires;
     180
     181- gawk (GNU awk) (which gawk)
     182- ldapsearch (which ldapsearch)
     183- mailx (provides mail command, which mailx)
     184- date (which date)
     185
     186which utility enables you to check if the command is installed and the full path to its location.
     187
     188'''The Script Variables'''
     189
     190Also, update the following variables on the script accordingly.
     191
     192- MY_LDAP_HOSTURI: LDAP URI
     193- MY_LDAP_ROOTDN (optional): DN to use to bind. No DN means anonymous
     194- MY_LDAP_ROOTPW: Password
     195- MY_LDAP_DEFAULTPWDPOLICYDN: Default password policy DN. Do not set if no default policy is used. In this case, the script will only affect users with password policy in their entry (pwdPolicySubentry)
     196- MY_LDAP_SEARCHBASE: Users search base
     197- MY_LDAP_SEARCHFILTER: Users search filter
     198- MY_LDAP_SEARCHBIN: Path to ldapsearch binary
     199- MY_MAIL_DELAY: Time before expiration where a mail is sent. No mail sent after expiration. If no value, the script will take the pwdExpireWarning of the password policy
     200- MY_LDAP_NAME_ATTR: attribute containing user’s name
     201- MY_LDAP_LOGIN_ATTR: attribute containing user’s login
     202- MY_LDAP_MAIL_ATTR:attribute containing user’s name
     203- MY_MAIL_BODY: message body
     204- MY_MAIL_SUBJECT: message subject
     205- MY_MAIL_BIN: mail binary
     206- MY_LOG_HEADER: log header
     207- MY_GAWK_BIN: path to gawk binary
     208
     209'''Sample LDAP User entry'''
     210
     211Below is our sample OpenLDAP user entry. Note the following attributes;
     212
     213- MY_LDAP_NAME_ATTR=cn
     214- MY_LDAP_LOGIN_ATTR=uid
     215- MY_LDAP_MAIL_ATTR=mail
     216
     217{{{
     218ldapsearch -Y EXTERNAL -H ldapi:/// -s one -b "ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" -LLL -Q uid=janedoe
     219}}}
     220
     221{{{
     222dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
     223objectClass: inetOrgPerson
     224objectClass: posixAccount
     225objectClass: shadowAccount
     226objectClass: extensibleObject
     227uid: janedoe
     228cn: Jane
     229sn: Doe
     230loginShell: /bin/bash
     231uidNumber: 10010
     232gidNumber: 10010
     233homeDirectory: /home/janedoe
     234shadowMax: 60
     235shadowMin: 1
     236shadowWarning: 7
     237shadowInactive: 7
     238shadowLastChange: 0
     239userPassword:: e1NTSEF9dmczUGpBa0EybUtOanJ4QWc1dWN5d20wNnlmOGg4cE8=
     240mail: janedoe@kifarunix-demo.com
     241}}}
     242
     243'''Testing the LDAP Password Expiration Notification Script'''
     244
     245To check the script can get us what is expected of it, simply execute it on the LDAP server as follows;
     246
     247{{{
     248bash checkLdapPwdExpiration.sh
     249}}}
     250
     251Our script writes output to, /tmp/ldap-password-stats, file.
     252
     253{{{
     254cat /tmp/ldap-password-stats
     255}}}
     256
     257{{{
     258Hello Admin,
     259Find the LDAP users account password expiry status as Jun 13,2020 21:19:18.
     260
     261Password warning for janedoe (expiry date, Thursday 18, June 2020 at 11:12:37). Mail sent to janedoe@kifarunix-demo.com
     262Password expired for koromicha on Friday 08, May 2020 at 21:34:02. Mail sent to koromicha@kifarunix-demo.com
     263No password change date for johndoe (johndoe@kifarunix-demo.com)
     264
     265===== Statistics =====
     266Total User Accounts checked: 4
     267Accounts with Expired Passwords: 1
     268Accounts with Passwords in Warning state: 1
     269}}}
     270
     271From the output above, we can see that;
     272
     273- A total of fours users, in the directory, were checked.
     274- Password for user koromicha, has expired on Friday 08, May 2020 at 21:34:02. Notification email sent to user.
     275- Password for the user, janedoe, will expire on Thursday 18, June 2020 at 11:12:37. Notification email sent to user.
     276- No password change date for johndoe (johndoe@kifarunix-demo.com)
     277
     278Since we do not have any mail utility installed, you may get such an output;
     279
     280{{{
     281mail: command not found
     282}}}
     283
     284'''Configure your LDAP Server to Send Mails'''
     285
     286In order for your OpenLDAP server to be able to send mails out, you need to have an MTA installed and configured. If you noticed above, the script tried use sendmail. In this demo, we will be using postfix instead.
     287
     288{{{
     289sudo apt install postfix
     290}}}
     291
     292{{{
     293vim /etc/postfix/main.cf
     294}}}
     295
     296Make the following adjustments;
     297
     298{{{
     299myhostname = ldap.kifarunix-demo.com
     300inet_protocols = ipv4 (or all)
     301relayhost = [smtp.gmail.com]:587
     302smtp_use_tls = yes
     303smtp_sasl_auth_enable
     304smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
     305smtp_sasl_security_options = noanonymous
     306}}}
     307
     308Save and exit the configuration.
     309
     310Enter the authentication credentials on the file, /etc/postfix/sasl_passwd in the format;
     311
     312{{{
     313[smtp.gmail.com]:587 userid@gmail:password
     314}}}
     315
     316Hash the credentials file.
     317
     318{{{
     319postmap /etc/postfix/sasl_passwd
     320}}}
     321
     322Set the proper permissions on the credentials file,
     323
     324{{{
     325chown root:postfix /etc/postfix/sasl_passwd*
     326chmod 640 /etc/postfix/sasl_passwd*
     327}}}
     328
     329Start the Postfix configuration.
     330
     331{{{
     332systemctl enable --now postfix
     333}}}
     334
     335'''Test Email Delivery'''
     336
     337{{{
     338echo "Test Postfix gmail relay" | mail -s "Test postfix gmail relay" admin@kifarunix-demo.com
     339}}}
     340
     341Check the logs.
     342
     343{{{
     344tail /var/log/maillog
     345}}}
     346
     347If you see this line, all is well;
     348
     349{{{
     350...to=admin@kifarunix-demo.com, relay=smtp.gmail.com[74.125.133.108]:587, ...status=sent (250 2.0.0 OK ..
     351}}}
     352
     353Once the email relay configuration is done, rerun the script.
     354
     355{{{
     356bash checkLdapPwdExpiration.sh
     357}}}
     358
     359Check the administrator inbox, which in this demo is set to, admin@kifarunix-demo.com, and the inbox for the user whose password is in warning state, janedoe@kifarunix-demo.com.
     360
     361On Admin Mailbox, this is the email from LDAP;
     362
     363{{{
     364Subject: LDAP Password Expiration Status
     365
     366Hello Admin,
     367Find the LDAP users account password expiry status as Jun 13,2020 21:31:11.
     368
     369Password warning for janedoe (expiry date, Thursday 18, June 2020 at 11:12:37). Mail sent to janedoe@kifarunix-demo.com
     370Password expired for koromicha on Friday 08, May 2020 at 21:34:02. Mail sent to koromicha@kifarunix-demo.com
     371No password change date for johndoe (johndoe@kifarunix-demo.com)
     372
     373===== Statistics =====
     374Total User Accounts checked: 4
     375Accounts with Expired Passwords: 1
     376Accounts with Passwords in Warning state: 1
     377}}}
     378
     379On the User’s inbox (Janedoe and Koromicha in this case);
     380
     381{{{
     382Subject: LDAP Account Password Expiry Status
     383
     384Hi jane,
     385
     386 Your password will expire in 4 days on Thursday 18, June 2020 at 11:12:37.
     387
     388 Visit Kifarunix-demo Self Service Password site, https://ldap-ssp.kifarunix-demo.com to reset your password.
     389
     390 As a reminder, ensure that your password conforms to the company outlined password policies.
     391
     392 Kifarunix-demo IT team,
     393 Regards.
     394}}}
     395
     396{{{
     397Subject: LDAP Account Password Expiry Status
     398
     399Hi koromicha,
     400
     401 Your password expired on Friday 08, May 2020 at 21:34:02.
     402
     403 Kindly contact Kifarunix-demo IT team to help reset the password.
     404
     405 Kifarunix-demo IT team,
     406 Regards.
     407}}}
     408
     409And there you go. You are now receiving the status of the LDAP accounts password expiry as the administrator. At the same time, users whose passwords are yet to expire are notified via their respective emails as defined on their LDAP entries. We hope that was informative.
     410
     411'''Create Daily Cron Job for the Script'''
     412
     413To ensure that the script is executed regularly, all you need to do is to create a cron job to execute the script at a specific regular time and have the LDAP accounts passwords status sent to users.
     414
     415Before you can install a cron job, ensure that the script is executable.
     416
     417{{{
     418chmod +x /home/kifarunix/checkLdapPwdExpiration.sh
     419}}}
     420
     421To install a cron job, run the command below;
     422
     423{{{
     424crontab -e
     425}}}
     426
     427Enter the line below, to have the script executed every day from Monday-Friday at 0800 hrs.
     428
     429{{{
     4300 8 * * 1-5 /home/kifarunix/checkLdapPwdExpiration.sh
     431}}}
     432
     433That marks the end of our guide on how to send OpenLDAP password expiry notifications via email.
     434