Here’s how we did it, in broad terms – we’re using password policy (ppolicy) too.
We query LDAP for pwdMaxAge for password policy we’re addressing (this is in seconds).
Then we subtract two weeks from it (for two weeks’ worth of warning – our script runs once a week)
… and then capture the date/time that many seconds ago (for easy comparing when looping through accounts)
… in the same format the pwdChangedTime (and createTimestamp) are stored in.
Example of above in bash (vars LDAPSEARCH, LDAPBIND, Policy being set previously):
pwdMaxAge=$($LDAPSEARCH $LDAPBIND -b $Policy pwdMaxAge -LLL | grep ^pwdMaxAge | awk ‘{print $2}’)
twoweeks=$((14*24*60*60))
pwdWarnAgeSeconds=$((pwdMaxAge-$twoweeks))
pwdCompareAge=$(date -d “$pwdWarnAgeSeconds seconds ago” +%Y%m%d000000)
Of course, that be one-lined, but obfuscated code is lame – especially in a work environment.
pwdCompareAge=$(date -d “$(($($LDAPSEARCH $LDAPBIND -b $Policy pwdMaxAge -LLL | grep ^pwdMaxAge | awk ‘{print $2}’)- $((14*24*60*60)))) seconds ago” +%Y%m%d000000)
(That’s probably broken somewhere… blech).
We then search for accounts using the password policy we’re addressing, and parse those accounts where pwdChangedTime (or, if it’s missing, createTimestamp) is less than pwdCompareAge (set above), and send them
an email with instructions on how to change the password.
That’s how we did it at least. Good luck!
- chris
Chris Jacobs
Systems Administrator, Technology Services Group
Apollo Group | Apollo Marketing & Product Development | Aptimus, Inc.
1501 4th Ave | Suite 2500 | Seattle, WA 98101 direct 206.839.8245 | cell 206.601.3256 | Fax 206.644.0628
email:
chris.jacobs@apollogrp.edu
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org]
On Behalf Of Kline, Sara
Sent: Wednesday, April 25, 2012 10:11 AM
To: openldap-technical@openldap.org
Subject: Way to email users when their password is about to expire?
Hey all,
Our OpenLDAP environment is up and functional and is working great. I was asked if there is a way to have the server email users when their account password is about to expire. For instance, 7 days before expiration they get an email that
lets them know their password will expire on date x. Is there functionality within OpenLDAP to do this, or has anyone written a script that would do it?
We are using the policy overlay to enforce the password policy.
Sara Kline
System Administrator
Transaction Network Services, Inc
4501 Intelco Loop, Lacey WA 98503
Wk: (360) 493-6736
Cell: (360) 280-2495
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.