dtEmailExpiredPass.sh - Notify Users About Expired Passwords by Email

MigrationDeletedUser

0 Likes

over 15 years ago

We just love using eDirectory as our primary source for user authentication and authorization. Universal password enabled us to use same username and passwords for file access with or without Novell Client, FTP, SSH, Wireless access, custom LDAP enabled applications...
And Universal password policy enables us to keep passwords compliant with our security policy (ISO/IEC 27001 certified): enforce password length, enforce usage of complicated passwords and prevent users to use their (or company) personal data in a password (just put data in eDirectory and then specify “no-no” attributes, but make sure you are using latest Novell Security services, iManager snap-in and your schema is extended).

Finally, we force users to change passwords every 40 days.

A really neat feature of the Universal password policy is a possibility to display administrator messages to a user during password change and for a user to check password requirements before making a frustrated call to HelpDesk 'I just can't change my password anymore!'.

Unfortunately, notifying users about password expiration works just for users doing login with a Novell Client and for administrator message or password requirements, Novell NMAS has to be enabled too.

This was producing a lot of HelpDesk calls, since SAMBA or LDAP users, for example, were not warned to change their passwords and their account would end up locked after they used all grace logins. To overcome this, I've created simple bash script to do LDAP search for a passwords that will expire in a few days and then send an eMail to users to warn them about it.

First, in order to be able to do a LDAP search you need a user authorized to read desired eDirectory attributes.

To make it simple, create an additional user ldapproxy with a password "secret" and assign him eDirectory rights for desired OU: entry browse, inherit and all attributes read, compare, inherit. To make it secure, reduce rights only to needed attributes...

Now copy the following bash script to your Linux box. For example to: /root/scripts folder:

#!/bin/bash

########################################################
#   dtEmailExpiredPass.sh - eMail notification about  #
#                          expired eDirectory password #
########################################################
#
#    FILE: dtEmailExpiredPass.sh
# VERSION: 0.1
#    DATE: 12-25-2007
#
#  AUTHOR: Denis Tomasevic
#          Slovenia
#
########################################################

#############################
#  Variables
#############################
# variables for eMail setup
export smtp="X.X.X.X"
export from="helpdesk@mycompany.si"
bcc="helpdesk@mycompany.si"

# variables for LDAP search
ldapHost="localhost"
ldapContext="ou=users,o=company"
ldapUser="cn=ldapproxy,o=company"
ldapPassw="secret"
checkTime="4 days"

# tmp files
tmpMsg=/tmp/passwordsToExpireMsg
tmpLdapResult=/tmp/passwordsToExpire

# calculate a time in a future 
# now checkTime and transform it to LDAP format
notifyExpirationTime=`date -d"$checkTime"  %Y%m�00000Z`

# search in LDAP for expired passwords,
# ignore users disabled by administrator
# store results in file tmpLdapResult
ldapsearch -x -Z -b $ldapContext -h $ldapHost \
           -D $ldapUser -w $ldapPassw -LLL \
           "(&(passwordExpirationTime$tmpLdapResult

# for every user with expired password and eMail attribute
for user in `fgrep mail: $tmpLdapResult | cut -f2 -d:`; do 
   # prepare notification message for a user
   echo Your password will expire:>$tmpMsg;
   # add some LDAP attributes to a message in their native format
   fgrep -B1 -A2 $user $tmpLdapResult>>$tmpMsg;
   echo>>$tmpMsg;
   echo Please, change your password.>>$tmpMsg;
   echo>>$tmpMsg;
   echo Your password has to be compliant with password policy:>>$tmpMsg
   echo    Add your own password policy instructions here...>>$tmpMsg
   echo>>$tmpMsg
   echo Your support team>>$tmpMsg;
   # send prepared message to user and a copy to a help desk
   cat $tmpMsg | /usr/bin/nail -b $bcc \
       -s "eDirectory password notification" $user; 
done

#clean out temp files and finish
rm $tmpLdapResult
rm $tmpMsg
exit 0

Finally, use crontab -e to schedule execution of this script, for example from Monday to Friday at 9:00:
0 9 * * 1-5 /root/scripts/dtEmailExpiredPass.sh>/dev/null

Using the script above, user will receive following eMail message:

Subject: eDirectory password notification
From: helpdesk@mycompany.si
Your password will expire:
dn: cn=denis,ou=users,o=mycompany
mail: denis.tomasevic@mycompany.si
passwordExpirationTime: 20071230220000Z
loginGraceRemaining: 10

Please, change your password.

Your password has to be compliant with password policy:
Add your own password policy instructions here...

Your support team

If your users do not login every day, you could use a different LDAP filter:

"(&(loginGraceRemaining<=5)(!(loginDisabled=TRUE)))"

To use this, you should setup users Grace Login attribute to a value greater than 6 (for ex. to 10), so user will be notified only if he did not change his password on time.

Now, you can play on your own, change the notification message, transform eDirectory attributes to a more readable format…

Enjoy!
Denis Tomašević

dtEmailExpiredPass.zip

Tags:

passwords

notification

Labels:

Collateral

Comment List

MigrationDeletedUser over 8 years ago in reply to MigrationDeletedUser

Dennis,
With the help of a few others we made some changes. It now sends one for passwords about to expire and ones that already expired. This one uses postfix and sendmail.

#!/bin/bash

########################################################
# dtEmailExpiredPass.sh - eMail notification about #
# expired eDirectory password #
########################################################
#
# FILE: dtEmailExpiredPass.sh
# VERSION: 0.1
# DATE: 12-25-2007
#
# AUTHOR: Denis Tomasevic
# Slovenia
# Modified: Joe Marton, Mike Statman, Alan Bens
#
########################################################

#############################
# Variables
#############################
# variables for eMail setup
smtp=""
from=""
fromname=""
bcc=""

# variables for LDAP search
ldapHost="localhost"
ldapContext="o="
ldapUser="cn=,o="
ldapPassw=""
checkTime="15 days"

# tmp files Set to your specific location
tmpMsg=/media/nss/IT/scriptlog/passwordsToExpireMsg
tmpLdapResult=/media/nss/IT/scriptlog/passwordsToExpire
tmpMsgExpired=/media/nss/IT/scriptlog/passwordsExpiredMsg
tmpLdapExpired=/media/nss/IT/scriptlog/passwordsExpired

# calculate a time in a future
# now+checkTime and transform it to LDAP format
notifyExpirationTime=`date -d"$checkTime" +%Y%m%d%H%M00Z`

# Get time one minute in the future in LDAP format
futureTime=`date -d"1 minute" +%Y%m%d%H%M00Z`

# Store current time in LDAP format
currentTime=`date +%Y%m%d%H%M00Z`

# search in LDAP for upcoming expiring passwords,
# ignore users disabled by administrator
# store results in file tmpLdapResult
ldapsearch -x -Z -b $ldapContext -h $ldapHost \
-D $ldapUser -w $ldapPassw -LLL \
"(&(passwordExpirationTime=$futureTime))" \
loginGraceRemaining mail passwordExpirationTime uid \
>$tmpLdapResult

# for every user with upcoming expiring passwords and eMail attribute
for user in `fgrep mail: $tmpLdapResult | cut -f2 -d" "`; do

# Set temp vars for use in e-mail message
uid=`fgrep -B2 $user $tmpLdapResult | grep uid: | cut -f2 -d" "`
expireDate=`fgrep -B1 $user $tmpLdapResult | grep Expiration | cut -f2 -d" " | cut -c-8`
expireTime=`fgrep -B1 $user $tmpLdapResult | grep Expiration | cut -f2 -d" " | cut -c9-12`
graceRemaining=`fgrep -A2 $user $tmpLdapResult | grep GraceRemaining | cut -f2 -d" "`

# Create message headers
echo To: $user>$tmpMsg;
echo Importance: High>>$tmpMsg;
echo Subject: Password expiration notice>>$tmpMsg;

# prepare notification message for a user
fgrep $user $tmpLdapResult | cut -f2 -d" ">>$tmpMsg;
echo>>$tmpMsg;
echo Dear $uid>>$tmpMsg;
echo Your password will expire on `date -d$expireDate +"%Y-%m-%d"` at `date -d$expireTime +"%H:%M"` GMT.>>$tmpMsg;
echo You have $graceRemaining grace logins remaining after expiration until you are locked out.>>$tmpMsg;

echo>>$tmpMsg;
echo Please change your password prior to its expiration.>>$tmpMsg;
echo>>$tmpMsg;
echo You may change it in the office by pressing CTRL-ALT-DEL and clicking on '"Change Password."'>>$tmpMsg;
echo>>$tmpMsg;
echo Remember, your password must be at least six characters long.>>$tmpMsg
echo>>$tmpMsg
echo If you use DataSync make sure you change the password on your phone.>>$tmpMsg
echo>>$tmpMsg;
echo Thank you,>>$tmpMsg;
echo Help Desk>>$tmpMsg;
echo 534>>$tmpMsg;
# send prepared message to user and a copy to a help desk
cat $tmpMsg | env MAILRC=/dev/null from=@.com replyto=@domain.com /usr/bin/mail -b $bcc -s "Password expiration

notification" $user

done

# search in LDAP for expired passwords,
# ignore users disabled by administrator
# store results in file tmpLdapExpired

ldapsearch -x -Z -b $ldapContext -h $ldapHost \
-D $ldapUser -w $ldapPassw -LLL \
"(&(passwordExpirationTime$tmpLdapExpired

# for every user with already expired password and eMail attribute
for user in `fgrep mail: $tmpLdapExpired | cut -f2 -d" "`; do

# Set temp vars for use in e-mail message
uid=`fgrep -B2 $user $tmpLdapExpired | grep uid: | cut -f2 -d" "`
expireDate2=`fgrep -B1 $user $tmpLdapExpired | grep Expiration | cut -f2 -d" " | cut -c-8`
expireTime2=`fgrep -B1 $user $tmpLdapExpired | grep Expiration | cut -f2 -d" " | cut -c9-12`
graceRemaining2=`fgrep -A2 $user $tmpLdapExpired | grep GraceRemaining | cut -f2 -d" "`

# Create message headers
echo "To: $user">$tmpMsgExpired;
echo "Cc: $cc">>$tmpMsgExpired;
echo "Importance: High">>$tmpMsgExpired;
echo "Subject: Password has expired!">>$tmpMsgExpired;

# prepare notification message for a user
fgrep $user $tmpLdapExpired | cut -f2 -d" ">>$tmpMsgExpired;
echo>>$tmpMsgExpired;
echo Dear $uid>>$tmpMsg;
echo Your password expired on `date -d$expireDate2 +"%Y-%m-%d"` at `date -d$expireTime2 +"%H:%M"` GMT.>>$tmpMsgExpired;
echo You have $graceRemaining2 grace logins remaining until you are locked out.>>$tmpMsgExpired;

echo>>$tmpMsgExpired;
echo "Please change your password immediately!">>$tmpMsgExpired;
echo>>$tmpMsgExpired;
echo You may change it in the office by pressing CTRL-ALT-DEL and clicking on '"Change Password."'>>$tmpMsgExpired;
echo>>$tmpMsgExpired;
echo Remember, your password must be at least six characters long.>>$tmpMsgExpired;
echo>>$tmpMsgExpired;
echo Please contact the Help Desk during normal business hours if you need any assistance in changing your password.>>

$tmpMsgExpired;
echo>>$tmpMsgExpired;
echo Thank you,>>$tmpMsgExpired;
echo Help Desk>>$tmpMsgExpired;
echo 534>>$tmpMsgExpired;
# send prepared message to user and a copy to a help desk
cat $tmpMsgExpired | env MAILRC=/dev/null from=@domain.com replyto=@domain.com /usr/bin/mail -b $bcc -s "Password

expired notification" $user

done

#clean out temp files and finish
rm -f $tmpLdapResult
rm -f $tmpMsg
rm -f $tmpLdapExpired
rm -f $tmpMsgExpired
exit 0
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
MigrationDeletedUser over 11 years ago

It only works when all users in OU have expiry date

If one does not then fgrep manipulation makes this one user still receive email which makes no sense

Your password will expire:
dn: cn=user1,ou=users,o=organization
mail: user1@domain

dn: cn=user2,ou=users,o=organization

Please, change your password.

So extra logic is needed, as well as possibly an extra variable for checkTime2, so one can select ie 7 days & 1 day & not need to run 2 separate scripts

Seb
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
MigrationDeletedUser over 15 years ago

Great work, works great. The only thing I saw was I needed to use the dos2unix tool to convert it otherwise it didn't work.
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel

Recommended

Menu

eDirectory Tips & Information

dtEmailExpiredPass.sh - Notify Users About Expired Passwords by Email

Tags:

Labels:

Resources