dtEmailExpiredPass.sh - Notify Users About Expired Passwords by Email

0 Likes
over 13 years ago
We just love using eDirectory as our primary source for user authentication and authorization. Universal password enabled us to use same username and passwords for file access with or without Novell Client, FTP, SSH, Wireless access, custom LDAP enabled applications...
And Universal password policy enables us to keep passwords compliant with our security policy (ISO/IEC 27001 certified): enforce password length, enforce usage of complicated passwords and prevent users to use their (or company) personal data in a password (just put data in eDirectory and then specify “no-no” attributes, but make sure you are using latest Novell Security services, iManager snap-in and your schema is extended).

Finally, we force users to change passwords every 40 days.

A really neat feature of the Universal password policy is a possibility to display administrator messages to a user during password change and for a user to check password requirements before making a frustrated call to HelpDesk 'I just can't change my password anymore!'.

Unfortunately, notifying users about password expiration works just for users doing login with a Novell Client and for administrator message or password requirements, Novell NMAS has to be enabled too.

This was producing a lot of HelpDesk calls, since SAMBA or LDAP users, for example, were not warned to change their passwords and their account would end up locked after they used all grace logins. To overcome this, I've created simple bash script to do LDAP search for a passwords that will expire in a few days and then send an eMail to users to warn them about it.

First, in order to be able to do a LDAP search you need a user authorized to read desired eDirectory attributes.

To make it simple, create an additional user ldapproxy with a password "secret" and assign him eDirectory rights for desired OU: entry browse, inherit and all attributes read, compare, inherit. To make it secure, reduce rights only to needed attributes...

Now copy the following bash script to your Linux box. For example to: /root/scripts folder:

#!/bin/bash

########################################################
# dtEmailExpiredPass.sh - eMail notification about #
# expired eDirectory password #
########################################################
#
# FILE: dtEmailExpiredPass.sh
# VERSION: 0.1
# DATE: 12-25-2007
#
# AUTHOR: Denis Tomasevic
# Slovenia
#
########################################################

#############################
# Variables
#############################
# variables for eMail setup
export smtp="X.X.X.X"
export from="helpdesk@mycompany.si"
bcc="helpdesk@mycompany.si"

# variables for LDAP search
ldapHost="localhost"
ldapContext="ou=users,o=company"
ldapUser="cn=ldapproxy,o=company"
ldapPassw="secret"
checkTime="4 days"

# tmp files
tmpMsg=/tmp/passwordsToExpireMsg
tmpLdapResult=/tmp/passwordsToExpire

# calculate a time in a future
# now checkTime and transform it to LDAP format
notifyExpirationTime=`date -d"$checkTime" %Y%m�00000Z`

# search in LDAP for expired passwords,
# ignore users disabled by administrator
# store results in file tmpLdapResult
ldapsearch -x -Z -b $ldapContext -h $ldapHost \
-D $ldapUser -w $ldapPassw -LLL \
"(&(passwordExpirationTime$tmpLdapResult

# for every user with expired password and eMail attribute
for user in `fgrep mail: $tmpLdapResult | cut -f2 -d:`; do
# prepare notification message for a user
echo Your password will expire:>$tmpMsg;
# add some LDAP attributes to a message in their native format
fgrep -B1 -A2 $user $tmpLdapResult>>$tmpMsg;
echo>>$tmpMsg;
echo Please, change your password.>>$tmpMsg;
echo>>$tmpMsg;
echo Your password has to be compliant with password policy:>>$tmpMsg
echo Add your own password policy instructions here...>>$tmpMsg
echo>>$tmpMsg
echo Your support team>>$tmpMsg;
# send prepared message to user and a copy to a help desk
cat $tmpMsg | /usr/bin/nail -b $bcc \
-s "eDirectory password notification" $user;
done

#clean out temp files and finish
rm $tmpLdapResult
rm $tmpMsg
exit 0



Finally, use crontab -e to schedule execution of this script, for example from Monday to Friday at 9:00:
0 9 * * 1-5 /root/scripts/dtEmailExpiredPass.sh>/dev/null

Using the script above, user will receive following eMail message:

Subject: eDirectory password notification
From: helpdesk@mycompany.si
Your password will expire:
dn: cn=denis,ou=users,o=mycompany
mail: denis.tomasevic@mycompany.si
passwordExpirationTime: 20071230220000Z
loginGraceRemaining: 10

Please, change your password.

Your password has to be compliant with password policy:
Add your own password policy instructions here...

Your support team

If your users do not login every day, you could use a different LDAP filter:
"(&(loginGraceRemaining<=5)(!(loginDisabled=TRUE)))"



To use this, you should setup users Grace Login attribute to a value greater than 6 (for ex. to 10), so user will be notified only if he did not change his password on time.

Now, you can play on your own, change the notification message, transform eDirectory attributes to a more readable format…

Enjoy!
Denis Tomašević

Labels:

Collateral
Comment List
Anonymous
Parents Comment Children
No Data
Related Discussions
Recommended