Here’s how we did it, in broad terms – we’re using password policy (ppolicy) too.

 

We query LDAP for pwdMaxAge for password policy we’re addressing (this is in seconds).

Then we subtract two weeks from it (for two weeks’ worth of warning – our script runs once a week)

… and then capture the date/time that many seconds ago (for easy comparing when looping through accounts)

… in the same format the pwdChangedTime (and createTimestamp) are stored in.

 

Example of above in bash (vars LDAPSEARCH, LDAPBIND, Policy being set previously):

pwdMaxAge=$($LDAPSEARCH $LDAPBIND -b $Policy pwdMaxAge -LLL | grep ^pwdMaxAge | awk ‘{print $2}’)

twoweeks=$((14*24*60*60))

pwdWarnAgeSeconds=$((pwdMaxAge-$twoweeks))

pwdCompareAge=$(date -d “$pwdWarnAgeSeconds seconds ago” +%Y%m%d000000)

 

Of course, that be one-lined, but obfuscated code is lame – especially in a work environment.

pwdCompareAge=$(date -d “$(($($LDAPSEARCH $LDAPBIND -b $Policy pwdMaxAge -LLL | grep ^pwdMaxAge | awk ‘{print $2}’)- $((14*24*60*60)))) seconds ago” +%Y%m%d000000)

(That’s probably broken somewhere… blech).

 

We then search for accounts using the password policy we’re addressing, and parse those accounts where pwdChangedTime (or, if it’s missing, createTimestamp) is less than pwdCompareAge (set above), and send them an email with instructions on how to change the password.

 

That’s how we did it at least. Good luck!

 

- chris

 

Chris Jacobs

Systems Administrator, Technology Services Group

 

Apollo Group  |  Apollo Marketing & Product Development  |  Aptimus, Inc.

1501 4th Ave  |  Suite 2500  |  Seattle, WA 98101 direct 206.839.8245  |  cell 206.601.3256  |  Fax 206.644.0628

email: chris.jacobs@apollogrp.edu

 

 

From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Kline, Sara
Sent: Wednesday, April 25, 2012 10:11 AM
To: openldap-technical@openldap.org
Subject: Way to email users when their password is about to expire?

 

Hey all,

Our OpenLDAP environment is up and functional and is working great. I was asked if there is a way to have the server email users when their account password is about to expire. For instance, 7 days before expiration they get an email that lets them know their password will expire on date x. Is there functionality within OpenLDAP to do this, or has anyone written a script that would do it?

We are using the policy overlay to enforce the password policy.

 

Sara Kline

System Administrator

Transaction Network Services, Inc

4501 Intelco Loop, Lacey WA 98503

Wk: (360) 493-6736

Cell: (360) 280-2495

 

 

This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.