You can receive advance notification by running a bash script in the Administration Console. This script retrieves all the server certificate expiration dates through LDAP and checks the dates against the current month and year. If the certificate expires within the same month or it has already expired, you get a notification through an email. If the certificate is going to expire on the same day that the script is run, you get a special warning to repair the certificates immediately.
This script should be configured to run on the first day of the month at midnight. If the server certificate expired on the first day of the month before the start of the work day (for example, at 1 a.m.), the administrators should have already received an email.
Sample Bash Script:
DOMAIN=novell.com ADMIN="admin1@novell.com admin2@novell.com admin3@novell.com" LDAPHOST=LDAPHOST.novell.com Organization='o=novell' CERTLOG=/tmp/CERTLOG.log mkdir -p /tmp/ ldapsearch -h$LDAPHOST -p389 -x -b "$Organization" | grep -B1 nDSPKINotAfter > $CERTLOG NUMOFLINES=`cat $CERTLOG | wc -l` i=2 while [ $i -le $NUMOFLINES ]; do VAR1=`cat $CERTLOG | head -n$i | tail -n2` EXPIRY=`echo $VAR1 | sed -e 's/nDSPKINotAfter: /~/' | cut -d~ -f2` EXPIRY_YYYYMM=`echo $EXPIRY | cut -c-6` CURRENT_YYYYMM=`date +%Y%m` if [ $EXPIRY_YYYYMM -le $CURRENT_YYYYMM ]; then EXPIRY_DATE=`echo $EXPIRY | cut -c-8` EXPIRY_DAY=`echo $EXPIRY | cut -c7-8` EXPIRY_MTH=`echo $EXPIRY | cut -c5-6` EXPIRY_YEAR=`echo $EXPIRY | cut -c1-4` CURRENT_DATE=`date +%Y%m%d` CERTNAME=`echo $VAR1 | sed -e 's/nDSPKINotAfter: /~/' | cut -d~ -f1` if [ $EXPIRY_DATE == $CURRENT_DATE ]; then echo "Please use iManager to repair the Certificate IMMEDIATELY" | mail -r $HOST@$DOMAIN -s "Server Certificate will expire TODAY!! --> $CERTNAME" $ADMIN else echo "Please use iManager to repair the Certificate" | mail -r $HOST@$DOMAIN -s "Server Certificate will expire on $EXPIRY_DAY-$EXPIRY_MTH-$EXPIRY_YEAR (DD-MM-YYYY) --> $CERTNAME" $ADMIN fi fi ((i=$i+3)) done
Modify the following variables in the sample bash script according to your environment:
|
Variable |
Description |
|---|---|
|
DOMAIN=novell.com |
This is the domain name of your company. Ensure that it is valid because the notification email is sent using this domain. |
|
ADMIN="admin1@novell.comadmin2@novell.comadmin3@novell.com" |
These are the email addresses of administrators who will receive the email alerts. Use a space to separate the addresses. |
|
LDAPHOST=LDAPHOST.novell.com |
This is the domain name or IP address of the eDirectory server or OES that contains a replica of all server organizational units (OUs). NOTE:This server should allow LDAP searches through port 389. To allow LDAP through port 389, open iManager > LDAP > LDAP options > LDAP Group > SERVERNAME > clear the Require TLS for Simple Binds with Password option. If port 389 is not allowed, change the script to use 636 (look for the ldapsearch command within the script). |
|
Organization='o=novell' |
This is the name of the organization configured on the eDirectory tree. If your servers are located across multiple organizations, use the tree name instead. For example, Organization='T=novell-tree' |
Configure crontab to run this script on the first day of every month at midnight.
For example, modify the /etc/crontab file to include the following line:
0 0 1 * * root /usr/local/bin/check_certexpire.sh 2>/dev/null
Configure postfix to enable sending email messages:
Ensure that the postfix service is started by entering the following command:.
/etc/init.d/postfix status
The status should show that the service is running.
Ensure that the postfix service is started at run time by entering the following command:
chkconfig postfix on
Edit the /etc/postfix/main.cf file and ensure that the following line is included:
transport_maps = hash:/etc/postfix/transport
Find out the IP address or DNS address of your SMTP server. For example, 10.1.1.1.
Edit the /etc/postfix/transport file and ensure that the following line is included:
* smtp:10.1.1.1
Change the IP address to the address of your SMTP server.
Enter the following command:
/sbin/postmap /etc/postfix/transport
Verify that this command updates the /etc/postfix/transport.db file.
Try sending an email to yourself by entering the following command on the server.
echo "this is a test email" | mail -r $HOST@yourcompany.com -s "This is a test subject” youremail@yourcompany.com
Change yourcompany.com to your company's domain and youremail to your actual email address. Leave $HOST as it is.