===Configure OpenLDAP Password Expiry Email Notification=== This tutorial will provide some basics steps to take to configure OpenLDAP to send out notifications via email to users mailbox informing them about the password expiration also system admins. The Script can be found at [https://github.com/ltb-project/ldap-scripts here] {{{ grep -Ev "^\s[#\;]|^\s$|^#" checkLdapPwdExpiration.sh }}} {{{ MY_LDAP_HOSTURI="ldapi:///" MY_LDAP_DEFAULTPWDPOLICYDN="cn=default,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com" MY_LDAP_SEARCHBASE="ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" MY_LDAP_SEARCHFILTER="(&(uid=*)(objectClass=inetOrgPerson))" MY_LDAP_SEARCHSCOPE="one" MY_LDAP_SEARCHBIN="/usr/bin/ldapsearch" MY_LDAP_NAME_ATTR=cn MY_LDAP_LOGIN_ATTR=uid MY_LDAP_MAIL_ATTR=mail export LC_ALL=en_US.UTF-8 MY_MAIL_BODY="Hi %name,\n\n \ Your password will expire in %expireDays days on %expireTimeTZ.\n\n \ Visit Kifarunix-demo Self Service Password site, https://ldap-ssp.kifarunix-demo.com to reset your password.\n\n \ As a reminder, ensure that your password conforms to the company outlined password policies.\n\n \ Kifarunix-demo IT team,\n Regards." EX_MAIL_BODY="Hi %name,\n\n \ Your password expired on %expireTimeTZ.\n\n \ Kindly contact Kifarunix-demo IT team to help reset the password.\n\n \ Kifarunix-demo IT team,\n Regards." MY_MAIL_SUBJECT="LDAP Account Password Expiry Status" MY_MAIL_BIN="mail" MY_LOG_HEADER="`date +\"%b %e,%Y %T\"`" MY_GAWK_BIN="/usr/bin/gawk" getTimeInSeconds() { date=0 os=`uname -s` if [ "$1" ]; then date=`${MY_GAWK_BIN} 'BEGIN { \ if (ARGC == 2) { \ print mktime(ARGV[1]) \ } \ exit 0 }' "$1"` else if [ "${os}" = "SunOS" ]; then date=`/usr/bin/truss /usr/bin/date 2>&1 | nawk -F= \ '/^time\(\)/ {gsub(/ /,"",$2);print $2}'` else now=`date +"%Y %m %d %H %M %S" -u` date=`getTimeInSeconds "$now"` fi fi echo ${date} } tmp_dir="/tmp/$$.checkldap.tmp" result_file="${tmp_dir}/res.tmp.1" buffer_file="${tmp_dir}/buf.tmp.1" tmp_dir_stats="/tmp/ldap-password-stats" ldap_param="-Y EXTERNAL -H ${MY_LDAP_HOSTURI} -LLL -Q" nb_users=0 nb_expired_users=0 nb_warning_users=0 if [ -d ${tmp_dir} ]; then echo "Error : temporary directory exists (${tmp_dir})" exit 1 fi mkdir ${tmp_dir} if [ ${MY_LDAP_ROOTDN} ]; then ldap_param="${ldap_param} -D ${MY_LDAP_ROOTDN} -w ${MY_LDAP_ROOTPW}" fi ${MY_LDAP_SEARCHBIN} ${ldap_param} -s ${MY_LDAP_SEARCHSCOPE} \ -b "${MY_LDAP_SEARCHBASE}" "${MY_LDAP_SEARCHFILTER}" \ "dn" > ${result_file} while read dnStr do if [ ! "${dnStr}" ]; then continue fi dn=`echo ${dnStr} | cut -d : -f 2` nb_users=`expr ${nb_users} + 1` ${MY_LDAP_SEARCHBIN} ${ldap_param} -s base -b "${dn}" \ ${MY_LDAP_NAME_ATTR} ${MY_LDAP_LOGIN_ATTR} ${MY_LDAP_MAIL_ATTR} pwdChangedTime pwdPolicySubentry \ > ${buffer_file} login=`grep -w "${MY_LDAP_LOGIN_ATTR}:" ${buffer_file} | cut -d : -f 2 \ | sed "s/^ *//;s/ *$//"` name=`grep -w "${MY_LDAP_NAME_ATTR}:" ${buffer_file} | cut -d : -f 2\ | sed "s/^ *//;s/ *$//"` mail=`grep -w "${MY_LDAP_MAIL_ATTR}:" ${buffer_file} | cut -d : -f 2 \ | sed "s/^ *//;s/ *$//"` pwdChangedTime=`grep -w "pwdChangedTime:" ${buffer_file} \ | cut -d : -f 2 | cut -c 1-15 | sed "s/^ *//;s/ *$//"` pwdPolicySubentry=`grep -w "pwdPolicySubentry:" ${buffer_file} \ | cut -d : -f 2 | sed "s/^ *//;s/ *$//"` if [ ! "${pwdChangedTime}" ]; then echo "No password change date for ${login} (${mail})" >> ${tmp_dir_stats} continue fi if [ ! "${pwdPolicySubentry}" -a ! "${MY_LDAP_DEFAULTPWDPOLICYDN}" ]; then echo "No password policy for ${login} (${mail})" >> ${tmp_dir_stats} continue fi ldap_search="${MY_LDAP_SEARCHBIN} ${ldap_param} -s base" if [ "${pwdPolicySubentry}" ]; then ldap_search="${ldap_search} -b ${pwdPolicySubentry}" else ldap_search="${ldap_search} -b ${MY_LDAP_DEFAULTPWDPOLICYDN}" fi ldap_search="$ldap_search pwdMaxAge pwdExpireWarning pwdMinLength pwdInHistory" pwdMaxAge=`${ldap_search} | grep -w "pwdMaxAge:" | cut -d : -f 2 \ | sed "s/^ *//;s/ *$//"` pwdExpireWarning=`${ldap_search} | grep -w "pwdExpireWarning:" | cut -d : -f 2 \ | sed "s/^ *//;s/ *$//"` pwdMinLength=`${ldap_search} | grep -w "pwdMinLength:" | cut -d : -f 2 \ | sed "s/^ *//;s/ *$//"` pwdInHistory=`${ldap_search} | grep -w "pwdInHistory:" | cut -d : -f 2 \ | sed "s/^ *//;s/ *$//"` if [ ! "${pwdMaxAge}" ]; then echo "No password expiration configured for ${login} (${mail})" >> ${tmp_dir_stats} continue fi MY_MAIL_DELAY=${MY_MAIL_DELAY:=$pwdExpireWarning} if [ "${pwdChangedTime}" ]; then s=`echo ${pwdChangedTime} | cut -c 13-14` m=`echo ${pwdChangedTime} | cut -c 11-12` h=`echo ${pwdChangedTime} | cut -c 9-10` d=`echo ${pwdChangedTime} | cut -c 7-8` M=`echo ${pwdChangedTime} | cut -c 5-6` y=`echo ${pwdChangedTime} | cut -c 1-4` currentTime=`getTimeInSeconds` pwdChangedTime=`getTimeInSeconds "$y $M $d $h $m $s"` diffTime=`expr ${currentTime} - ${pwdChangedTime}` fi expireTime=`expr ${pwdChangedTime} + ${pwdMaxAge}` if [ ${currentTime} -gt ${expireTime} ]; then nb_expired_users=`expr ${nb_expired_users} + 1` expireTime=`date -d @$expireTime "+%A %d, %B %Y at %T"` logmsg="${EX_MAIL_BODY}" logmsg=`echo -e ${logmsg} | sed "s/%name/${name}/; \ s/%login/${login}/; s/%expireTimeTZ/${expireTime}/; s/%pwdMinLength/${pwdMinLength}/; s/%pwdInHistory/${pwdInHistory}/; \ s/%expireDays/${expireDays}/"` echo "${logmsg}" | ${MY_MAIL_BIN} -s "${MY_MAIL_SUBJECT}" ${mail} >&2 echo "Password expired for ${login} on ${expireTime}. Mail sent to ${mail}" >> ${tmp_dir_stats} continue fi expireTimeTZ=`date -d @$expireTime "+%A %d, %B %Y at %T"` expireTimeMail=`date -d @$expireTime "+%s"` now=`date +%s` expireDays=`echo $(( (${expireTimeMail} - ${now} )/(60*60*24) ))` if [ "${mail}" -a "${name}" \ -a "${login}" -a "${diffTime}" -a "${pwdMaxAge}" ] then diffTime=`expr ${diffTime} + ${MY_MAIL_DELAY}` if [ ${diffTime} -gt ${pwdMaxAge} ]; then logmsg="${MY_MAIL_BODY}" logmsg=`echo -e ${logmsg} | sed "s/%name/${name}/; \ s/%login/${login}/; s/%expireTimeTZ/${expireTimeTZ}/; s/%pwdMinLength/${pwdMinLength}/; s/%pwdInHistory/${pwdInHistory}/; \ s/%expireDays/${expireDays}/"` echo "${logmsg}" | ${MY_MAIL_BIN} -s "${MY_MAIL_SUBJECT}" ${mail} >&2 echo "Password warning for ${login} (expiry date, ${expireTimeTZ}). Mail sent to ${mail}" >> ${tmp_dir_stats} nb_warning_users=`expr ${nb_warning_users} + 1` fi fi done < ${result_file} sed -i "1iHello Admin,\nFind the LDAP users account password expiry status as at ${MY_LOG_HEADER}.\n" ${tmp_dir_stats} echo "Total User Accounts checked: ${nb_users}" >> ${tmp_dir_stats} echo "Accounts with Expired Passwords: ${nb_expired_users}" >> ${tmp_dir_stats} echo "Accounts with Passwords in Warning state: ${nb_warning_users}" >> ${tmp_dir_stats} sed -i -e '/^Total.*/i\\ ' -e '/^Total.*/i ===== Statistics =====' ${tmp_dir_stats} mail -s "LDAP Password Expiration Status" kifaunix@gmail.com < ${tmp_dir_stats} rm -rf ${tmp_dir} rm -rf ${tmp_dir_stats} exit 0}}}