LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   LDAP Account Password Expiry Script (http://www.linuxquestions.org/questions/linux-newbie-8/ldap-account-password-expiry-script-895495/)

Doknik 08-04-2011 05:27 AM

LDAP Account Password Expiry Script
 
Hi,

I need to find a way of automatically notifying LDAP account users as to when their passwords will expire and also force them to change their passwords.
I am fairly new to LDAP.I am running openldap 2.3.43.el5 on RHEL 5.3
I am trying to find a solution (possibly in a script form) but i am open to other tried and tested solutions.

What i am aiming to do is to parse,filter or format the LDAP query output from the command below (example)

slapcat -b "cn=Manager,dc=berkerly dc=ac dc=uk"

such that i get an output that shows the user cn (name) and the users pwChangedTime field from the LDAP database for example

cn: jbloggs :
pwdChangedTime: 2011078159Z

or better still all on the same line like

cn: jbloggs :pwdChangedTime: 2011078159Z

This way i can tell when the users passwords was last changed and then based on our password policy work out when the LDAP account users passwords will expire.
In effect this will enable me work out whos passwords expires soon from a mini report.
I am hoping to do this in a script but not sure how to achieve this from the slapcat command output.
Is there a way or command in LDAP, of listing a users cn (name) and pwdChanged time or other fields.I am an LDAP newbie and i am only familiar with slapcat command which lists all the LDAP users and their various attribute fields i the LDAP database. This slapcat output is not easy to grep and awk to find exactly what i am looking for.

Also i need confirmation as to whether the field pwdChangedTime: truly represents the date when the password for that user was last changed.

Finally is there a way of forcing users to change their LDAP passwords as you do on normal local Unix,Linux accounts.

Your help would be greatly appreciated.

mpapet 08-04-2011 05:36 AM

Quote:

Originally Posted by Doknik (Post 4433398)
Hi,

I need to find a way of automatically notifying LDAP account users as to when their passwords will expire and also force them to change their passwords.
I am fairly new to LDAP.I am running openldap 2.3.43.el5 on RHEL 5.3
I am trying to find a solution (possibly in a script form) but i am open to other tried and tested solutions.

What i am aiming to do is to parse,filter or format the LDAP query output from the command below (example)

slapcat -b "cn=Manager,dc=berkerly dc=ac dc=uk"

such that i get an output that shows the user cn (name) and the users pwChangedTime field from the LDAP database for example

cn: jbloggs :
pwdChangedTime: 2011078159Z

openldap has an ldapsearch program that will get you part of the way. I picture the rest of the way being a script that does the searching, then an email out to the person. Perl/Python have good LDAP modules and date/time modules too.

Quote:

Originally Posted by Doknik (Post 4433398)
or better still all on the same line like

cn: jbloggs :pwdChangedTime: 2011078159Z

This way i can tell when the users passwords was last changed and then based on our password policy work out when the LDAP account users passwords will expire.
In effect this will enable me work out whos passwords expires soon from a mini report.
I am hoping to do this in a script but not sure how to achieve this from the slapcat command output.
Is there a way or command in LDAP, of listing a users cn (name) and pwdChanged time or other fields.I am an LDAP newbie and i am only familiar with slapcat command which lists all the LDAP users and their various attribute fields i the LDAP database. This slapcat output is not easy to grep and awk to find exactly what i am looking for.

Also i need confirmation as to whether the field pwdChangedTime: truly represents the date when the password for that user was last changed.

Finally is there a way of forcing users to change their LDAP passwords as you do on normal local Unix,Linux accounts.

Your help would be greatly appreciated.

If you don't update the pwdChangeTime field when the password changes, then it's not 'true.' Or, maybe I'm missing something here? Is openldap some part of a larger Identity management solution in your situation?

Sending an email with a URL to a page where they can manage their personal data would be the way to go IMHO. Just depends on your requirements.


All times are GMT -5. The time now is 06:08 PM.