Here's how we did it, in broad terms - we're using password policy (ppolicy) too.
We query LDAP for pwdMaxAge for password policy we're addressing (this is in seconds). Then we subtract two weeks from it (for two weeks' worth of warning - our script runs once a week) ... and then capture the date/time that many seconds ago (for easy comparing when looping through accounts) ... in the same format the pwdChangedTime (and createTimestamp) are stored in.
Example of above in bash (vars LDAPSEARCH, LDAPBIND, Policy being set previously): pwdMaxAge=$($LDAPSEARCH $LDAPBIND -b $Policy pwdMaxAge -LLL | grep ^pwdMaxAge | awk '{print $2}') twoweeks=$((14*24*60*60)) pwdWarnAgeSeconds=$((pwdMaxAge-$twoweeks)) pwdCompareAge=$(date -d "$pwdWarnAgeSeconds seconds ago" +%Y%m%d000000)
Of course, that be one-lined, but obfuscated code is lame - especially in a work environment. pwdCompareAge=$(date -d "$(($($LDAPSEARCH $LDAPBIND -b $Policy pwdMaxAge -LLL | grep ^pwdMaxAge | awk '{print $2}')- $((14*24*60*60)))) seconds ago" +%Y%m%d000000) (That's probably broken somewhere... blech).
We then search for accounts using the password policy we're addressing, and parse those accounts where pwdChangedTime (or, if it's missing, createTimestamp) is less than pwdCompareAge (set above), and send them an email with instructions on how to change the password.
That's how we did it at least. Good luck!
- chris
Chris Jacobs Systems Administrator, Technology Services Group
Apollo Group | Apollo Marketing & Product Development | Aptimus, Inc. 1501 4th Ave | Suite 2500 | Seattle, WA 98101 direct 206.839.8245 | cell 206.601.3256 | Fax 206.644.0628 email: chris.jacobs@apollogrp.edumailto:chris.jacobs@apollogrp.edu
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Kline, Sara Sent: Wednesday, April 25, 2012 10:11 AM To: openldap-technical@openldap.org Subject: Way to email users when their password is about to expire?
Hey all, Our OpenLDAP environment is up and functional and is working great. I was asked if there is a way to have the server email users when their account password is about to expire. For instance, 7 days before expiration they get an email that lets them know their password will expire on date x. Is there functionality within OpenLDAP to do this, or has anyone written a script that would do it? We are using the policy overlay to enforce the password policy.
Sara Kline System Administrator Transaction Network Services, Inc 4501 Intelco Loop, Lacey WA 98503 Wk: (360) 493-6736 Cell: (360) 280-2495
________________________________ This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction Network Services. Any unauthorised review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.