LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
LinkBack Search this Thread
Old 08-04-2011, 04:27 AM   #1
Doknik
LQ Newbie
 
Registered: Jun 2010
Posts: 26

Rep: Reputation: 1
LDAP Account Password Expiry Script


Hi,

I need to find a way of automatically notifying LDAP account users as to when their passwords will expire and also force them to change their passwords.
I am fairly new to LDAP.I am running openldap 2.3.43.el5 on RHEL 5.3
I am trying to find a solution (possibly in a script form) but i am open to other tried and tested solutions.

What i am aiming to do is to parse,filter or format the LDAP query output from the command below (example)

slapcat -b "cn=Manager,dc=berkerly dc=ac dc=uk"

such that i get an output that shows the user cn (name) and the users pwChangedTime field from the LDAP database for example

cn: jbloggs :
pwdChangedTime: 2011078159Z

or better still all on the same line like

cn: jbloggs wdChangedTime: 2011078159Z

This way i can tell when the users passwords was last changed and then based on our password policy work out when the LDAP account users passwords will expire.
In effect this will enable me work out whos passwords expires soon from a mini report.
I am hoping to do this in a script but not sure how to achieve this from the slapcat command output.
Is there a way or command in LDAP, of listing a users cn (name) and pwdChanged time or other fields.I am an LDAP newbie and i am only familiar with slapcat command which lists all the LDAP users and their various attribute fields i the LDAP database. This slapcat output is not easy to grep and awk to find exactly what i am looking for.

Also i need confirmation as to whether the field pwdChangedTime: truly represents the date when the password for that user was last changed.

Finally is there a way of forcing users to change their LDAP passwords as you do on normal local Unix,Linux accounts.

Your help would be greatly appreciated.
 
Old 08-04-2011, 04:36 AM   #2
mpapet
Member
 
Registered: Nov 2003
Location: Los Angeles
Distribution: debian
Posts: 452

Rep: Reputation: 46
Quote:
Originally Posted by Doknik View Post
Hi,

I need to find a way of automatically notifying LDAP account users as to when their passwords will expire and also force them to change their passwords.
I am fairly new to LDAP.I am running openldap 2.3.43.el5 on RHEL 5.3
I am trying to find a solution (possibly in a script form) but i am open to other tried and tested solutions.

What i am aiming to do is to parse,filter or format the LDAP query output from the command below (example)

slapcat -b "cn=Manager,dc=berkerly dc=ac dc=uk"

such that i get an output that shows the user cn (name) and the users pwChangedTime field from the LDAP database for example

cn: jbloggs :
pwdChangedTime: 2011078159Z
openldap has an ldapsearch program that will get you part of the way. I picture the rest of the way being a script that does the searching, then an email out to the person. Perl/Python have good LDAP modules and date/time modules too.

Quote:
Originally Posted by Doknik View Post
or better still all on the same line like

cn: jbloggs wdChangedTime: 2011078159Z

This way i can tell when the users passwords was last changed and then based on our password policy work out when the LDAP account users passwords will expire.
In effect this will enable me work out whos passwords expires soon from a mini report.
I am hoping to do this in a script but not sure how to achieve this from the slapcat command output.
Is there a way or command in LDAP, of listing a users cn (name) and pwdChanged time or other fields.I am an LDAP newbie and i am only familiar with slapcat command which lists all the LDAP users and their various attribute fields i the LDAP database. This slapcat output is not easy to grep and awk to find exactly what i am looking for.

Also i need confirmation as to whether the field pwdChangedTime: truly represents the date when the password for that user was last changed.

Finally is there a way of forcing users to change their LDAP passwords as you do on normal local Unix,Linux accounts.

Your help would be greatly appreciated.
If you don't update the pwdChangeTime field when the password changes, then it's not 'true.' Or, maybe I'm missing something here? Is openldap some part of a larger Identity management solution in your situation?

Sending an email with a URL to a page where they can manage their personal data would be the way to go IMHO. Just depends on your requirements.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
notification of account expiry in freebsd server annaabhi Linux - Server 0 07-24-2011 11:56 PM
Automatic Password Expiry Notification Tool for LDAP and AD Doknik Linux - Software 10 06-17-2011 06:04 AM
ldap password sync with samba and unix user account macpraveen Linux - Server 4 04-22-2010 09:55 AM
Shell script for password expiry alert bhandu Linux - General 1 06-13-2007 04:19 AM
How to verify the account's password within ldap database? ioiioi Linux - Server 0 02-25-2007 10:52 PM


All times are GMT -5. The time now is 01:39 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration