License:
Free

Download dtEmailExpiredPass.zip

We just love using eDirectory as our primary source for user authentication and authorization. Universal password enabled us to use same username and passwords for file access with or without Novell Client, FTP, SSH, Wireless access, custom LDAP enabled applications…
And Universal password policy enables us to keep passwords compliant with our security policy (ISO/IEC 27001 certified): enforce password length, enforce usage of complicated passwords and prevent users to use their (or company) personal data in a password (just put data in eDirectory and then specify “no-no” attributes, but make sure you are using latest Novell Security services, iManager snap-in and your schema is extended).

Finally, we force users to change passwords every 40 days.

A really neat feature of the Universal password policy is a possibility to display administrator messages to a user during password change and for a user to check password requirements before making a frustrated call to HelpDesk ‘I just can’t change my password anymore!’.

Unfortunately, notifying users about password expiration works just for users doing login with a Novell Client and for administrator message or password requirements, Novell NMAS has to be enabled too.

This was producing a lot of HelpDesk calls, since SAMBA or LDAP users, for example, were not warned to change their passwords and their account would end up locked after they used all grace logins. To overcome this, I’ve created simple bash script to do LDAP search for a passwords that will expire in a few days and then send an eMail to users to warn them about it.

First, in order to be able to do a LDAP search you need a user authorized to read desired eDirectory attributes.

To make it simple, create an additional user ldapproxy with a password “secret” and assign him eDirectory rights for desired OU: entry browse, inherit and all attributes read, compare, inherit. To make it secure, reduce rights only to needed attributes…

Now copy the following bash script to your Linux box. For example to: /root/scripts folder:

#!/bin/bash

########################################################
#   dtEmailExpiredPass.sh - eMail notification about  #
#                          expired eDirectory password #
########################################################
#
#    FILE: dtEmailExpiredPass.sh
# VERSION: 0.1
#    DATE: 12-25-2007
#
#  AUTHOR: Denis Tomasevic
#          Slovenia
#
########################################################

#############################
#  Variables
#############################
# variables for eMail setup
export smtp="X.X.X.X"
export from="helpdesk@mycompany.si"
bcc="helpdesk@mycompany.si"

# variables for LDAP search
ldapHost="localhost"
ldapContext="ou=users,o=company"
ldapUser="cn=ldapproxy,o=company"
ldapPassw="secret"
checkTime="4 days"

# tmp files
tmpMsg=/tmp/passwordsToExpireMsg
tmpLdapResult=/tmp/passwordsToExpire

# calculate a time in a future 
# now+checkTime and transform it to LDAP format
notifyExpirationTime=`date -d"$checkTime" +%Y%m%d000000Z`

# search in LDAP for expired passwords,
# ignore users disabled by administrator
# store results in file tmpLdapResult
ldapsearch -x -Z -b $ldapContext -h $ldapHost \
           -D $ldapUser -w $ldapPassw -LLL \
           "(&(passwordExpirationTime$tmpLdapResult

# for every user with expired password and eMail attribute
for user in `fgrep mail: $tmpLdapResult | cut -f2 -d:`; do 
   # prepare notification message for a user
   echo Your password will expire:>$tmpMsg;
   # add some LDAP attributes to a message in their native format
   fgrep -B1 -A2 $user $tmpLdapResult>>$tmpMsg;
   echo>>$tmpMsg;
   echo Please, change your password.>>$tmpMsg;
   echo>>$tmpMsg;
   echo Your password has to be compliant with password policy:>>$tmpMsg
   echo    Add your own password policy instructions here...>>$tmpMsg
   echo>>$tmpMsg
   echo Your support team>>$tmpMsg;
   # send prepared message to user and a copy to a help desk
   cat $tmpMsg | /usr/bin/nail -b $bcc \
       -s "eDirectory password notification" $user; 
done

#clean out temp files and finish
rm $tmpLdapResult
rm $tmpMsg
exit 0

Finally, use crontab -e to schedule execution of this script, for example from Monday to Friday at 9:00:
0 9 * * 1-5 /root/scripts/dtEmailExpiredPass.sh>/dev/null

Using the script above, user will receive following eMail message:

Subject: eDirectory password notification
From: helpdesk@mycompany.si
Your password will expire:
dn: cn=denis,ou=users,o=mycompany
mail: denis.tomasevic@mycompany.si
passwordExpirationTime: 20071230220000Z
loginGraceRemaining: 10

Please, change your password.

Your password has to be compliant with password policy:
Add your own password policy instructions here…

Your support team

If your users do not login every day, you could use a different LDAP filter:

"(&(loginGraceRemaining<=5)(!(loginDisabled=TRUE)))"

To use this, you should setup users Grace Login attribute to a value greater than 6 (for ex. to 10), so user will be notified only if he did not change his password on time.

Now, you can play on your own, change the notification message, transform eDirectory attributes to a more readable format…

Enjoy!
Denis Tomašević

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

3 Comments

  • redds says:

    Great work, works great. The only thing I saw was I needed to use the dos2unix tool to convert it otherwise it didn’t work.

  • spgsitsupport says:

    It only works when all users in OU have expiry date

    If one does not then fgrep manipulation makes this one user still receive email which makes no sense

    Your password will expire:
    dn: cn=user1,ou=users,o=organization
    mail: user1@domain

    dn: cn=user2,ou=users,o=organization

    Please, change your password.

    So extra logic is needed, as well as possibly an extra variable for checkTime2, so one can select ie 7 days & 1 day & not need to run 2 separate scripts

    Seb

    • abens says:

      Dennis,
      With the help of a few others we made some changes. It now sends one for passwords about to expire and ones that already expired. This one uses postfix and sendmail.

      #!/bin/bash

      ########################################################
      # dtEmailExpiredPass.sh – eMail notification about #
      # expired eDirectory password #
      ########################################################
      #
      # FILE: dtEmailExpiredPass.sh
      # VERSION: 0.1
      # DATE: 12-25-2007
      #
      # AUTHOR: Denis Tomasevic
      # Slovenia
      # Modified: Joe Marton, Mike Statman, Alan Bens
      #
      ########################################################

      #############################
      # Variables
      #############################
      # variables for eMail setup
      smtp=””
      from=””
      fromname=””
      bcc=””

      # variables for LDAP search
      ldapHost=”localhost”
      ldapContext=”o=”
      ldapUser=”cn=,o=”
      ldapPassw=””
      checkTime=”15 days”

      # tmp files Set to your specific location
      tmpMsg=/media/nss/IT/scriptlog/passwordsToExpireMsg
      tmpLdapResult=/media/nss/IT/scriptlog/passwordsToExpire
      tmpMsgExpired=/media/nss/IT/scriptlog/passwordsExpiredMsg
      tmpLdapExpired=/media/nss/IT/scriptlog/passwordsExpired

      # calculate a time in a future
      # now+checkTime and transform it to LDAP format
      notifyExpirationTime=`date -d”$checkTime” +%Y%m%d%H%M00Z`

      # Get time one minute in the future in LDAP format
      futureTime=`date -d”1 minute” +%Y%m%d%H%M00Z`

      # Store current time in LDAP format
      currentTime=`date +%Y%m%d%H%M00Z`

      # search in LDAP for upcoming expiring passwords,
      # ignore users disabled by administrator
      # store results in file tmpLdapResult
      ldapsearch -x -Z -b $ldapContext -h $ldapHost \
      -D $ldapUser -w $ldapPassw -LLL \
      “(&(passwordExpirationTime=$futureTime))” \
      loginGraceRemaining mail passwordExpirationTime uid \
      >$tmpLdapResult

      # for every user with upcoming expiring passwords and eMail attribute
      for user in `fgrep mail: $tmpLdapResult | cut -f2 -d” “`; do

      # Set temp vars for use in e-mail message
      uid=`fgrep -B2 $user $tmpLdapResult | grep uid: | cut -f2 -d” “`
      expireDate=`fgrep -B1 $user $tmpLdapResult | grep Expiration | cut -f2 -d” ” | cut -c-8`
      expireTime=`fgrep -B1 $user $tmpLdapResult | grep Expiration | cut -f2 -d” ” | cut -c9-12`
      graceRemaining=`fgrep -A2 $user $tmpLdapResult | grep GraceRemaining | cut -f2 -d” “`

      # Create message headers
      echo To: $user>$tmpMsg;
      echo Importance: High>>$tmpMsg;
      echo Subject: Password expiration notice>>$tmpMsg;

      # prepare notification message for a user
      fgrep $user $tmpLdapResult | cut -f2 -d” “>>$tmpMsg;
      echo>>$tmpMsg;
      echo Dear $uid>>$tmpMsg;
      echo Your password will expire on `date -d$expireDate +”%Y-%m-%d”` at `date -d$expireTime +”%H:%M”` GMT.>>$tmpMsg;
      echo You have $graceRemaining grace logins remaining after expiration until you are locked out.>>$tmpMsg;

      echo>>$tmpMsg;
      echo Please change your password prior to its expiration.>>$tmpMsg;
      echo>>$tmpMsg;
      echo You may change it in the office by pressing CTRL-ALT-DEL and clicking on ‘”Change Password.”‘>>$tmpMsg;
      echo>>$tmpMsg;
      echo Remember, your password must be at least six characters long.>>$tmpMsg
      echo>>$tmpMsg
      echo If you use DataSync make sure you change the password on your phone.>>$tmpMsg
      echo>>$tmpMsg;
      echo Thank you,>>$tmpMsg;
      echo Help Desk>>$tmpMsg;
      echo 534>>$tmpMsg;
      # send prepared message to user and a copy to a help desk
      cat $tmpMsg | env MAILRC=/dev/null from=@.com replyto=@domain.com /usr/bin/mail -b $bcc -s “Password expiration

      notification” $user

      done

      # search in LDAP for expired passwords,
      # ignore users disabled by administrator
      # store results in file tmpLdapExpired

      ldapsearch -x -Z -b $ldapContext -h $ldapHost \
      -D $ldapUser -w $ldapPassw -LLL \
      “(&(passwordExpirationTime$tmpLdapExpired

      # for every user with already expired password and eMail attribute
      for user in `fgrep mail: $tmpLdapExpired | cut -f2 -d” “`; do

      # Set temp vars for use in e-mail message
      uid=`fgrep -B2 $user $tmpLdapExpired | grep uid: | cut -f2 -d” “`
      expireDate2=`fgrep -B1 $user $tmpLdapExpired | grep Expiration | cut -f2 -d” ” | cut -c-8`
      expireTime2=`fgrep -B1 $user $tmpLdapExpired | grep Expiration | cut -f2 -d” ” | cut -c9-12`
      graceRemaining2=`fgrep -A2 $user $tmpLdapExpired | grep GraceRemaining | cut -f2 -d” “`

      # Create message headers
      echo “To: $user”>$tmpMsgExpired;
      echo “Cc: $cc”>>$tmpMsgExpired;
      echo “Importance: High”>>$tmpMsgExpired;
      echo “Subject: Password has expired!”>>$tmpMsgExpired;

      # prepare notification message for a user
      fgrep $user $tmpLdapExpired | cut -f2 -d” “>>$tmpMsgExpired;
      echo>>$tmpMsgExpired;
      echo Dear $uid>>$tmpMsg;
      echo Your password expired on `date -d$expireDate2 +”%Y-%m-%d”` at `date -d$expireTime2 +”%H:%M”` GMT.>>$tmpMsgExpired;
      echo You have $graceRemaining2 grace logins remaining until you are locked out.>>$tmpMsgExpired;

      echo>>$tmpMsgExpired;
      echo “Please change your password immediately!”>>$tmpMsgExpired;
      echo>>$tmpMsgExpired;
      echo You may change it in the office by pressing CTRL-ALT-DEL and clicking on ‘”Change Password.”‘>>$tmpMsgExpired;
      echo>>$tmpMsgExpired;
      echo Remember, your password must be at least six characters long.>>$tmpMsgExpired;
      echo>>$tmpMsgExpired;
      echo Please contact the Help Desk during normal business hours if you need any assistance in changing your password.>>

      $tmpMsgExpired;
      echo>>$tmpMsgExpired;
      echo Thank you,>>$tmpMsgExpired;
      echo Help Desk>>$tmpMsgExpired;
      echo 534>>$tmpMsgExpired;
      # send prepared message to user and a copy to a help desk
      cat $tmpMsgExpired | env MAILRC=/dev/null from=@domain.com replyto=@domain.com /usr/bin/mail -b $bcc -s “Password

      expired notification” $user

      done

      #clean out temp files and finish
      rm -f $tmpLdapResult
      rm -f $tmpMsg
      rm -f $tmpLdapExpired
      rm -f $tmpMsgExpired
      exit 0

Dec 26, 2007
9:35 am
Reads:
2,361
Score:
Unrated