wiki:campuswifiandeduroam2023Agenda/pwden

Version 1 (modified by tuwan, 17 months ago) ( diff )

--

===Configure OpenLDAP Password Expiry Email Notification===

This tutorial will provide some basics steps to take to configure OpenLDAP to send out notifications via email to users mailbox informing them about the password expiration also system admins.

The Script can be found at here 

grep -Ev "^\s[#\;]|^\s$|^#" checkLdapPwdExpiration.sh

MY_LDAP_HOSTURI="ldapi:///"
MY_LDAP_DEFAULTPWDPOLICYDN="cn=default,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com"
MY_LDAP_SEARCHBASE="ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"
MY_LDAP_SEARCHFILTER="(&(uid=*)(objectClass=inetOrgPerson))"
MY_LDAP_SEARCHSCOPE="one"
MY_LDAP_SEARCHBIN="/usr/bin/ldapsearch"
MY_LDAP_NAME_ATTR=cn
MY_LDAP_LOGIN_ATTR=uid
MY_LDAP_MAIL_ATTR=mail
export LC_ALL=en_US.UTF-8
MY_MAIL_BODY="Hi %name,\n\n \
	Your password will expire in %expireDays days on %expireTimeTZ.\n\n \
        Visit Kifarunix-demo Self Service Password site, https://ldap-ssp.kifarunix-demo.com to reset your password.\n\n \
	As a reminder, ensure that your password conforms to the company outlined password policies.\n\n \
	Kifarunix-demo IT team,\n
	Regards."
EX_MAIL_BODY="Hi %name,\n\n \
	Your password expired on %expireTimeTZ.\n\n \
        Kindly contact Kifarunix-demo IT team to help reset the password.\n\n \
	Kifarunix-demo IT team,\n
	Regards."
MY_MAIL_SUBJECT="LDAP Account Password Expiry Status"
MY_MAIL_BIN="mail"
MY_LOG_HEADER="`date +\"%b %e,%Y %T\"`"
MY_GAWK_BIN="/usr/bin/gawk"
getTimeInSeconds() {
	date=0
	os=`uname -s`
	if [ "$1" ]; then
		date=`${MY_GAWK_BIN} 'BEGIN  { \
			if (ARGC == 2) { \
		        	print mktime(ARGV[1]) \
			} \
			exit 0 }' "$1"`
	else
		if [ "${os}" = "SunOS" ]; then
			date=`/usr/bin/truss /usr/bin/date 2>&1 | nawk -F= \
				'/^time\(\)/ {gsub(/ /,"",$2);print $2}'`
		else
			now=`date +"%Y %m %d %H %M %S" -u`
			date=`getTimeInSeconds "$now"`
		fi
	fi
	echo ${date}
}
tmp_dir="/tmp/$$.checkldap.tmp"
result_file="${tmp_dir}/res.tmp.1"
buffer_file="${tmp_dir}/buf.tmp.1"
tmp_dir_stats="/tmp/ldap-password-stats"
ldap_param="-Y EXTERNAL -H ${MY_LDAP_HOSTURI} -LLL -Q"
nb_users=0
nb_expired_users=0
nb_warning_users=0
if [ -d ${tmp_dir} ]; then
	echo "Error : temporary directory exists (${tmp_dir})"
	exit 1
fi
mkdir ${tmp_dir}
if [ ${MY_LDAP_ROOTDN} ]; then
	ldap_param="${ldap_param} -D ${MY_LDAP_ROOTDN} -w ${MY_LDAP_ROOTPW}"
fi
${MY_LDAP_SEARCHBIN} ${ldap_param} -s ${MY_LDAP_SEARCHSCOPE} \
	-b "${MY_LDAP_SEARCHBASE}" "${MY_LDAP_SEARCHFILTER}" \
	"dn" > ${result_file}
while read dnStr
do
	if [ ! "${dnStr}" ]; then
		continue
	fi
	dn=`echo ${dnStr} | cut -d : -f 2`
	nb_users=`expr ${nb_users} + 1`
	${MY_LDAP_SEARCHBIN} ${ldap_param} -s base -b "${dn}" \
		${MY_LDAP_NAME_ATTR} ${MY_LDAP_LOGIN_ATTR} ${MY_LDAP_MAIL_ATTR} pwdChangedTime pwdPolicySubentry \
		> ${buffer_file}
	login=`grep -w "${MY_LDAP_LOGIN_ATTR}:" ${buffer_file} | cut -d : -f 2 \
		| sed "s/^ *//;s/ *$//"`
	name=`grep -w "${MY_LDAP_NAME_ATTR}:" ${buffer_file} | cut -d : -f 2\
		| sed "s/^ *//;s/ *$//"`
	mail=`grep -w "${MY_LDAP_MAIL_ATTR}:" ${buffer_file} | cut -d : -f 2 \
		| sed "s/^ *//;s/ *$//"`
	pwdChangedTime=`grep -w "pwdChangedTime:" ${buffer_file} \
		| cut -d : -f 2 | cut -c 1-15 | sed "s/^ *//;s/ *$//"`
	pwdPolicySubentry=`grep -w "pwdPolicySubentry:" ${buffer_file} \
		| cut -d : -f 2 | sed "s/^ *//;s/ *$//"`
	if [ ! "${pwdChangedTime}" ]; then
		echo "No password change date for ${login} (${mail})" >> ${tmp_dir_stats}
		continue
	fi
	if [ ! "${pwdPolicySubentry}" -a ! "${MY_LDAP_DEFAULTPWDPOLICYDN}" ]; then
		echo "No password policy for ${login} (${mail})" >> ${tmp_dir_stats}
		continue
	fi
	ldap_search="${MY_LDAP_SEARCHBIN} ${ldap_param} -s base"
	if [ "${pwdPolicySubentry}" ]; then
		ldap_search="${ldap_search} -b ${pwdPolicySubentry}"
	else
		ldap_search="${ldap_search} -b ${MY_LDAP_DEFAULTPWDPOLICYDN}"
	fi
	ldap_search="$ldap_search pwdMaxAge pwdExpireWarning pwdMinLength pwdInHistory"
	pwdMaxAge=`${ldap_search} | grep -w "pwdMaxAge:" | cut -d : -f 2 \
		| sed "s/^ *//;s/ *$//"`
	pwdExpireWarning=`${ldap_search} | grep -w "pwdExpireWarning:" | cut -d : -f 2 \
		| sed "s/^ *//;s/ *$//"`
	pwdMinLength=`${ldap_search} | grep -w "pwdMinLength:" | cut -d : -f 2 \
		| sed "s/^ *//;s/ *$//"`
	pwdInHistory=`${ldap_search} | grep -w "pwdInHistory:" | cut -d : -f 2 \
		| sed "s/^ *//;s/ *$//"`
        if [ ! "${pwdMaxAge}" ]; then
                echo "No password expiration configured for ${login} (${mail})" >> ${tmp_dir_stats}
                continue
        fi
	MY_MAIL_DELAY=${MY_MAIL_DELAY:=$pwdExpireWarning}
	if [ "${pwdChangedTime}" ]; then
		s=`echo ${pwdChangedTime} | cut -c 13-14`
		m=`echo ${pwdChangedTime} | cut -c 11-12`
		h=`echo ${pwdChangedTime} | cut -c 9-10`
		d=`echo ${pwdChangedTime} | cut -c 7-8`
		M=`echo ${pwdChangedTime} | cut -c 5-6`
		y=`echo ${pwdChangedTime} | cut -c 1-4`
		currentTime=`getTimeInSeconds`
		pwdChangedTime=`getTimeInSeconds "$y $M $d $h $m $s"`
		diffTime=`expr ${currentTime} - ${pwdChangedTime}`
	fi
	expireTime=`expr ${pwdChangedTime} + ${pwdMaxAge}`
	if [ ${currentTime} -gt ${expireTime} ]; then
		nb_expired_users=`expr ${nb_expired_users} + 1`
		expireTime=`date -d @$expireTime "+%A %d, %B %Y at %T"`
	        logmsg="${EX_MAIL_BODY}"
		logmsg=`echo -e ${logmsg} | sed "s/%name/${name}/; \
			s/%login/${login}/; s/%expireTimeTZ/${expireTime}/; s/%pwdMinLength/${pwdMinLength}/; s/%pwdInHistory/${pwdInHistory}/; \
			s/%expireDays/${expireDays}/"`
		echo "${logmsg}" | ${MY_MAIL_BIN} -s "${MY_MAIL_SUBJECT}" ${mail} >&2
		echo "Password expired for ${login} on ${expireTime}. Mail sent to ${mail}" >> ${tmp_dir_stats}
		continue
	fi
	expireTimeTZ=`date -d @$expireTime "+%A %d, %B %Y at %T"`
	expireTimeMail=`date -d @$expireTime "+%s"`
	now=`date +%s`
	expireDays=`echo $(( (${expireTimeMail} - ${now} )/(60*60*24) ))`
	if [ "${mail}" -a "${name}" \
		-a "${login}" -a "${diffTime}" -a "${pwdMaxAge}" ]
	then
		diffTime=`expr ${diffTime} + ${MY_MAIL_DELAY}`
		if [ ${diffTime} -gt ${pwdMaxAge} ]; then
			logmsg="${MY_MAIL_BODY}"
			logmsg=`echo -e ${logmsg} | sed "s/%name/${name}/; \
				s/%login/${login}/; s/%expireTimeTZ/${expireTimeTZ}/; s/%pwdMinLength/${pwdMinLength}/; s/%pwdInHistory/${pwdInHistory}/; \
				s/%expireDays/${expireDays}/"`
			echo "${logmsg}" | ${MY_MAIL_BIN} -s "${MY_MAIL_SUBJECT}" ${mail} >&2
			echo "Password warning for ${login} (expiry date, ${expireTimeTZ}). Mail sent to ${mail}" >> ${tmp_dir_stats}
			nb_warning_users=`expr ${nb_warning_users} + 1`
		fi
	fi
done < ${result_file}
sed -i "1iHello Admin,\nFind the LDAP users account password expiry status as at ${MY_LOG_HEADER}.\n" ${tmp_dir_stats}
echo "Total User Accounts checked: ${nb_users}" >> ${tmp_dir_stats}
echo "Accounts with Expired Passwords: ${nb_expired_users}" >> ${tmp_dir_stats}
echo "Accounts with Passwords in Warning state: ${nb_warning_users}" >> ${tmp_dir_stats}
sed -i -e '/^Total.*/i\\ ' -e '/^Total.*/i ===== Statistics =====' ${tmp_dir_stats}
mail -s "LDAP Password Expiration Status" kifaunix@gmail.com < ${tmp_dir_stats}
rm -rf ${tmp_dir}
rm -rf ${tmp_dir_stats}
exit 0}}}
Note: See TracWiki for help on using the wiki.