dtEmailExpiredPass.sh - Notify Users About Expired Passwords by Email

0 Likes
over 13 years ago
We just love using eDirectory as our primary source for user authentication and authorization. Universal password enabled us to use same username and passwords for file access with or without Novell Client, FTP, SSH, Wireless access, custom LDAP enabled applications...
And Universal password policy enables us to keep passwords compliant with our security policy (ISO/IEC 27001 certified): enforce password length, enforce usage of complicated passwords and prevent users to use their (or company) personal data in a password (just put data in eDirectory and then specify “no-no” attributes, but make sure you are using latest Novell Security services, iManager snap-in and your schema is extended).

Finally, we force users to change passwords every 40 days.

A really neat feature of the Universal password policy is a possibility to display administrator messages to a user during password change and for a user to check password requirements before making a frustrated call to HelpDesk 'I just can't change my password anymore!'.

Unfortunately, notifying users about password expiration works just for users doing login with a Novell Client and for administrator message or password requirements, Novell NMAS has to be enabled too.

This was producing a lot of HelpDesk calls, since SAMBA or LDAP users, for example, were not warned to change their passwords and their account would end up locked after they used all grace logins. To overcome this, I've created simple bash script to do LDAP search for a passwords that will expire in a few days and then send an eMail to users to warn them about it.

First, in order to be able to do a LDAP search you need a user authorized to read desired eDirectory attributes.

To make it simple, create an additional user ldapproxy with a password "secret" and assign him eDirectory rights for desired OU: entry browse, inherit and all attributes read, compare, inherit. To make it secure, reduce rights only to needed attributes...

Now copy the following bash script to your Linux box. For example to: /root/scripts folder:

#!/bin/bash

########################################################
# dtEmailExpiredPass.sh - eMail notification about #
# expired eDirectory password #
########################################################
#
# FILE: dtEmailExpiredPass.sh
# VERSION: 0.1
# DATE: 12-25-2007
#
# AUTHOR: Denis Tomasevic
# Slovenia
#
########################################################

#############################
# Variables
#############################
# variables for eMail setup
export smtp="X.X.X.X"
export from="helpdesk@mycompany.si"
bcc="helpdesk@mycompany.si"

# variables for LDAP search
ldapHost="localhost"
ldapContext="ou=users,o=company"
ldapUser="cn=ldapproxy,o=company"
ldapPassw="secret"
checkTime="4 days"

# tmp files
tmpMsg=/tmp/passwordsToExpireMsg
tmpLdapResult=/tmp/passwordsToExpire

# calculate a time in a future
# now checkTime and transform it to LDAP format
notifyExpirationTime=`date -d"$checkTime" %Y%m�00000Z`

# search in LDAP for expired passwords,
# ignore users disabled by administrator
# store results in file tmpLdapResult
ldapsearch -x -Z -b $ldapContext -h $ldapHost \
-D $ldapUser -w $ldapPassw -LLL \
"(&(passwordExpirationTime$tmpLdapResult

# for every user with expired password and eMail attribute
for user in `fgrep mail: $tmpLdapResult | cut -f2 -d:`; do
# prepare notification message for a user
echo Your password will expire:>$tmpMsg;
# add some LDAP attributes to a message in their native format
fgrep -B1 -A2 $user $tmpLdapResult>>$tmpMsg;
echo>>$tmpMsg;
echo Please, change your password.>>$tmpMsg;
echo>>$tmpMsg;
echo Your password has to be compliant with password policy:>>$tmpMsg
echo Add your own password policy instructions here...>>$tmpMsg
echo>>$tmpMsg
echo Your support team>>$tmpMsg;
# send prepared message to user and a copy to a help desk
cat $tmpMsg | /usr/bin/nail -b $bcc \
-s "eDirectory password notification" $user;
done

#clean out temp files and finish
rm $tmpLdapResult
rm $tmpMsg
exit 0



Finally, use crontab -e to schedule execution of this script, for example from Monday to Friday at 9:00:
0 9 * * 1-5 /root/scripts/dtEmailExpiredPass.sh>/dev/null

Using the script above, user will receive following eMail message:

Subject: eDirectory password notification
From: helpdesk@mycompany.si
Your password will expire:
dn: cn=denis,ou=users,o=mycompany
mail: denis.tomasevic@mycompany.si
passwordExpirationTime: 20071230220000Z
loginGraceRemaining: 10

Please, change your password.

Your password has to be compliant with password policy:
Add your own password policy instructions here...

Your support team

If your users do not login every day, you could use a different LDAP filter:
"(&(loginGraceRemaining<=5)(!(loginDisabled=TRUE)))"



To use this, you should setup users Grace Login attribute to a value greater than 6 (for ex. to 10), so user will be notified only if he did not change his password on time.

Now, you can play on your own, change the notification message, transform eDirectory attributes to a more readable format…

Enjoy!
Denis Tomašević

Labels:

Collateral
Comment List
Anonymous
Parents
  • It only works when all users in OU have expiry date

    If one does not then fgrep manipulation makes this one user still receive email which makes no sense

    Your password will expire:
    dn: cn=user1,ou=users,o=organization
    mail: user1@domain

    dn: cn=user2,ou=users,o=organization

    Please, change your password.


    So extra logic is needed, as well as possibly an extra variable for checkTime2, so one can select ie 7 days & 1 day & not need to run 2 separate scripts

    Seb
  • Dennis,
    With the help of a few others we made some changes. It now sends one for passwords about to expire and ones that already expired. This one uses postfix and sendmail.

    #!/bin/bash

    ########################################################
    # dtEmailExpiredPass.sh - eMail notification about #
    # expired eDirectory password #
    ########################################################
    #
    # FILE: dtEmailExpiredPass.sh
    # VERSION: 0.1
    # DATE: 12-25-2007
    #
    # AUTHOR: Denis Tomasevic
    # Slovenia
    # Modified: Joe Marton, Mike Statman, Alan Bens
    #
    ########################################################

    #############################
    # Variables
    #############################
    # variables for eMail setup
    smtp=""
    from=""
    fromname=""
    bcc=""

    # variables for LDAP search
    ldapHost="localhost"
    ldapContext="o="
    ldapUser="cn=,o="
    ldapPassw=""
    checkTime="15 days"

    # tmp files Set to your specific location
    tmpMsg=/media/nss/IT/scriptlog/passwordsToExpireMsg
    tmpLdapResult=/media/nss/IT/scriptlog/passwordsToExpire
    tmpMsgExpired=/media/nss/IT/scriptlog/passwordsExpiredMsg
    tmpLdapExpired=/media/nss/IT/scriptlog/passwordsExpired

    # calculate a time in a future
    # now+checkTime and transform it to LDAP format
    notifyExpirationTime=`date -d"$checkTime" +%Y%m%d%H%M00Z`

    # Get time one minute in the future in LDAP format
    futureTime=`date -d"1 minute" +%Y%m%d%H%M00Z`

    # Store current time in LDAP format
    currentTime=`date +%Y%m%d%H%M00Z`

    # search in LDAP for upcoming expiring passwords,
    # ignore users disabled by administrator
    # store results in file tmpLdapResult
    ldapsearch -x -Z -b $ldapContext -h $ldapHost \
    -D $ldapUser -w $ldapPassw -LLL \
    "(&(passwordExpirationTime=$futureTime))" \
    loginGraceRemaining mail passwordExpirationTime uid \
    >$tmpLdapResult

    # for every user with upcoming expiring passwords and eMail attribute
    for user in `fgrep mail: $tmpLdapResult | cut -f2 -d" "`; do

    # Set temp vars for use in e-mail message
    uid=`fgrep -B2 $user $tmpLdapResult | grep uid: | cut -f2 -d" "`
    expireDate=`fgrep -B1 $user $tmpLdapResult | grep Expiration | cut -f2 -d" " | cut -c-8`
    expireTime=`fgrep -B1 $user $tmpLdapResult | grep Expiration | cut -f2 -d" " | cut -c9-12`
    graceRemaining=`fgrep -A2 $user $tmpLdapResult | grep GraceRemaining | cut -f2 -d" "`

    # Create message headers
    echo To: $user>$tmpMsg;
    echo Importance: High>>$tmpMsg;
    echo Subject: Password expiration notice>>$tmpMsg;

    # prepare notification message for a user
    fgrep $user $tmpLdapResult | cut -f2 -d" ">>$tmpMsg;
    echo>>$tmpMsg;
    echo Dear $uid>>$tmpMsg;
    echo Your password will expire on `date -d$expireDate +"%Y-%m-%d"` at `date -d$expireTime +"%H:%M"` GMT.>>$tmpMsg;
    echo You have $graceRemaining grace logins remaining after expiration until you are locked out.>>$tmpMsg;

    echo>>$tmpMsg;
    echo Please change your password prior to its expiration.>>$tmpMsg;
    echo>>$tmpMsg;
    echo You may change it in the office by pressing CTRL-ALT-DEL and clicking on '"Change Password."'>>$tmpMsg;
    echo>>$tmpMsg;
    echo Remember, your password must be at least six characters long.>>$tmpMsg
    echo>>$tmpMsg
    echo If you use DataSync make sure you change the password on your phone.>>$tmpMsg
    echo>>$tmpMsg;
    echo Thank you,>>$tmpMsg;
    echo Help Desk>>$tmpMsg;
    echo 534>>$tmpMsg;
    # send prepared message to user and a copy to a help desk
    cat $tmpMsg | env MAILRC=/dev/null from=@.com replyto=@domain.com /usr/bin/mail -b $bcc -s "Password expiration

    notification" $user

    done

    # search in LDAP for expired passwords,
    # ignore users disabled by administrator
    # store results in file tmpLdapExpired

    ldapsearch -x -Z -b $ldapContext -h $ldapHost \
    -D $ldapUser -w $ldapPassw -LLL \
    "(&(passwordExpirationTime$tmpLdapExpired

    # for every user with already expired password and eMail attribute
    for user in `fgrep mail: $tmpLdapExpired | cut -f2 -d" "`; do

    # Set temp vars for use in e-mail message
    uid=`fgrep -B2 $user $tmpLdapExpired | grep uid: | cut -f2 -d" "`
    expireDate2=`fgrep -B1 $user $tmpLdapExpired | grep Expiration | cut -f2 -d" " | cut -c-8`
    expireTime2=`fgrep -B1 $user $tmpLdapExpired | grep Expiration | cut -f2 -d" " | cut -c9-12`
    graceRemaining2=`fgrep -A2 $user $tmpLdapExpired | grep GraceRemaining | cut -f2 -d" "`


    # Create message headers
    echo "To: $user">$tmpMsgExpired;
    echo "Cc: $cc">>$tmpMsgExpired;
    echo "Importance: High">>$tmpMsgExpired;
    echo "Subject: Password has expired!">>$tmpMsgExpired;

    # prepare notification message for a user
    fgrep $user $tmpLdapExpired | cut -f2 -d" ">>$tmpMsgExpired;
    echo>>$tmpMsgExpired;
    echo Dear $uid>>$tmpMsg;
    echo Your password expired on `date -d$expireDate2 +"%Y-%m-%d"` at `date -d$expireTime2 +"%H:%M"` GMT.>>$tmpMsgExpired;
    echo You have $graceRemaining2 grace logins remaining until you are locked out.>>$tmpMsgExpired;

    echo>>$tmpMsgExpired;
    echo "Please change your password immediately!">>$tmpMsgExpired;
    echo>>$tmpMsgExpired;
    echo You may change it in the office by pressing CTRL-ALT-DEL and clicking on '"Change Password."'>>$tmpMsgExpired;
    echo>>$tmpMsgExpired;
    echo Remember, your password must be at least six characters long.>>$tmpMsgExpired;
    echo>>$tmpMsgExpired;
    echo Please contact the Help Desk during normal business hours if you need any assistance in changing your password.>>

    $tmpMsgExpired;
    echo>>$tmpMsgExpired;
    echo Thank you,>>$tmpMsgExpired;
    echo Help Desk>>$tmpMsgExpired;
    echo 534>>$tmpMsgExpired;
    # send prepared message to user and a copy to a help desk
    cat $tmpMsgExpired | env MAILRC=/dev/null from=@domain.com replyto=@domain.com /usr/bin/mail -b $bcc -s "Password

    expired notification" $user

    done

    #clean out temp files and finish
    rm -f $tmpLdapResult
    rm -f $tmpMsg
    rm -f $tmpLdapExpired
    rm -f $tmpMsgExpired
    exit 0
Comment
  • Dennis,
    With the help of a few others we made some changes. It now sends one for passwords about to expire and ones that already expired. This one uses postfix and sendmail.

    #!/bin/bash

    ########################################################
    # dtEmailExpiredPass.sh - eMail notification about #
    # expired eDirectory password #
    ########################################################
    #
    # FILE: dtEmailExpiredPass.sh
    # VERSION: 0.1
    # DATE: 12-25-2007
    #
    # AUTHOR: Denis Tomasevic
    # Slovenia
    # Modified: Joe Marton, Mike Statman, Alan Bens
    #
    ########################################################

    #############################
    # Variables
    #############################
    # variables for eMail setup
    smtp=""
    from=""
    fromname=""
    bcc=""

    # variables for LDAP search
    ldapHost="localhost"
    ldapContext="o="
    ldapUser="cn=,o="
    ldapPassw=""
    checkTime="15 days"

    # tmp files Set to your specific location
    tmpMsg=/media/nss/IT/scriptlog/passwordsToExpireMsg
    tmpLdapResult=/media/nss/IT/scriptlog/passwordsToExpire
    tmpMsgExpired=/media/nss/IT/scriptlog/passwordsExpiredMsg
    tmpLdapExpired=/media/nss/IT/scriptlog/passwordsExpired

    # calculate a time in a future
    # now+checkTime and transform it to LDAP format
    notifyExpirationTime=`date -d"$checkTime" +%Y%m%d%H%M00Z`

    # Get time one minute in the future in LDAP format
    futureTime=`date -d"1 minute" +%Y%m%d%H%M00Z`

    # Store current time in LDAP format
    currentTime=`date +%Y%m%d%H%M00Z`

    # search in LDAP for upcoming expiring passwords,
    # ignore users disabled by administrator
    # store results in file tmpLdapResult
    ldapsearch -x -Z -b $ldapContext -h $ldapHost \
    -D $ldapUser -w $ldapPassw -LLL \
    "(&(passwordExpirationTime=$futureTime))" \
    loginGraceRemaining mail passwordExpirationTime uid \
    >$tmpLdapResult

    # for every user with upcoming expiring passwords and eMail attribute
    for user in `fgrep mail: $tmpLdapResult | cut -f2 -d" "`; do

    # Set temp vars for use in e-mail message
    uid=`fgrep -B2 $user $tmpLdapResult | grep uid: | cut -f2 -d" "`
    expireDate=`fgrep -B1 $user $tmpLdapResult | grep Expiration | cut -f2 -d" " | cut -c-8`
    expireTime=`fgrep -B1 $user $tmpLdapResult | grep Expiration | cut -f2 -d" " | cut -c9-12`
    graceRemaining=`fgrep -A2 $user $tmpLdapResult | grep GraceRemaining | cut -f2 -d" "`

    # Create message headers
    echo To: $user>$tmpMsg;
    echo Importance: High>>$tmpMsg;
    echo Subject: Password expiration notice>>$tmpMsg;

    # prepare notification message for a user
    fgrep $user $tmpLdapResult | cut -f2 -d" ">>$tmpMsg;
    echo>>$tmpMsg;
    echo Dear $uid>>$tmpMsg;
    echo Your password will expire on `date -d$expireDate +"%Y-%m-%d"` at `date -d$expireTime +"%H:%M"` GMT.>>$tmpMsg;
    echo You have $graceRemaining grace logins remaining after expiration until you are locked out.>>$tmpMsg;

    echo>>$tmpMsg;
    echo Please change your password prior to its expiration.>>$tmpMsg;
    echo>>$tmpMsg;
    echo You may change it in the office by pressing CTRL-ALT-DEL and clicking on '"Change Password."'>>$tmpMsg;
    echo>>$tmpMsg;
    echo Remember, your password must be at least six characters long.>>$tmpMsg
    echo>>$tmpMsg
    echo If you use DataSync make sure you change the password on your phone.>>$tmpMsg
    echo>>$tmpMsg;
    echo Thank you,>>$tmpMsg;
    echo Help Desk>>$tmpMsg;
    echo 534>>$tmpMsg;
    # send prepared message to user and a copy to a help desk
    cat $tmpMsg | env MAILRC=/dev/null from=@.com replyto=@domain.com /usr/bin/mail -b $bcc -s "Password expiration

    notification" $user

    done

    # search in LDAP for expired passwords,
    # ignore users disabled by administrator
    # store results in file tmpLdapExpired

    ldapsearch -x -Z -b $ldapContext -h $ldapHost \
    -D $ldapUser -w $ldapPassw -LLL \
    "(&(passwordExpirationTime$tmpLdapExpired

    # for every user with already expired password and eMail attribute
    for user in `fgrep mail: $tmpLdapExpired | cut -f2 -d" "`; do

    # Set temp vars for use in e-mail message
    uid=`fgrep -B2 $user $tmpLdapExpired | grep uid: | cut -f2 -d" "`
    expireDate2=`fgrep -B1 $user $tmpLdapExpired | grep Expiration | cut -f2 -d" " | cut -c-8`
    expireTime2=`fgrep -B1 $user $tmpLdapExpired | grep Expiration | cut -f2 -d" " | cut -c9-12`
    graceRemaining2=`fgrep -A2 $user $tmpLdapExpired | grep GraceRemaining | cut -f2 -d" "`


    # Create message headers
    echo "To: $user">$tmpMsgExpired;
    echo "Cc: $cc">>$tmpMsgExpired;
    echo "Importance: High">>$tmpMsgExpired;
    echo "Subject: Password has expired!">>$tmpMsgExpired;

    # prepare notification message for a user
    fgrep $user $tmpLdapExpired | cut -f2 -d" ">>$tmpMsgExpired;
    echo>>$tmpMsgExpired;
    echo Dear $uid>>$tmpMsg;
    echo Your password expired on `date -d$expireDate2 +"%Y-%m-%d"` at `date -d$expireTime2 +"%H:%M"` GMT.>>$tmpMsgExpired;
    echo You have $graceRemaining2 grace logins remaining until you are locked out.>>$tmpMsgExpired;

    echo>>$tmpMsgExpired;
    echo "Please change your password immediately!">>$tmpMsgExpired;
    echo>>$tmpMsgExpired;
    echo You may change it in the office by pressing CTRL-ALT-DEL and clicking on '"Change Password."'>>$tmpMsgExpired;
    echo>>$tmpMsgExpired;
    echo Remember, your password must be at least six characters long.>>$tmpMsgExpired;
    echo>>$tmpMsgExpired;
    echo Please contact the Help Desk during normal business hours if you need any assistance in changing your password.>>

    $tmpMsgExpired;
    echo>>$tmpMsgExpired;
    echo Thank you,>>$tmpMsgExpired;
    echo Help Desk>>$tmpMsgExpired;
    echo 534>>$tmpMsgExpired;
    # send prepared message to user and a copy to a help desk
    cat $tmpMsgExpired | env MAILRC=/dev/null from=@domain.com replyto=@domain.com /usr/bin/mail -b $bcc -s "Password

    expired notification" $user

    done

    #clean out temp files and finish
    rm -f $tmpLdapResult
    rm -f $tmpMsg
    rm -f $tmpLdapExpired
    rm -f $tmpMsgExpired
    exit 0
Children
No Data
Related Discussions
Recommended