LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 06-15-2011, 12:03 PM   #1
Doknik
LQ Newbie
 
Registered: Jun 2010
Posts: 26

Rep: Reputation: 1
Automatic Password Expiry Notification Tool for LDAP and AD


Hi,
I am looking for a recommended automatic password expiration notification tool Can anyone advice on the best secure and most recommended tool out there, commercial or free preferably free.
We run a Linux and Windows platform that uses windows Active Directory and OpenLDAP 2.3.43-3.el5 to authenticate users. However we do get a lot of users requesting password resets particularly in the Linux environment and we need a good ,tried and tested automated tool or script that can manage this .We need an LDAP and Active Directory tool that notifies users particularly Linux users automatically days before their password will expire and force them to change it themselves or have it reset by the Linux administrator.I am kinda new to LDAP is tere any such facility withing OpenLDAP?
I have read about Netwrix and Novell Tools but not sure if these are tried and tested tools.
Any advice will be greatly appreciated.
 
Old 06-15-2011, 05:48 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,000
Blog Entries: 11

Rep: Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893
I haven't stumbled upon a ready made tool to do this, but using
perl or shell script (in combination with ldapsearch) it should
be easy enough to script a solution. All it takes is to pull all
users pwdChangedTime attribute, and do some date maths on it.
Run from a cron job, and you're done.


Cheers,
Tink

Last edited by Tinkster; 06-15-2011 at 06:03 PM.
 
Old 06-16-2011, 02:41 AM   #3
Doknik
LQ Newbie
 
Registered: Jun 2010
Posts: 26

Original Poster
Rep: Reputation: 1
Thanks for your help
 
Old 06-16-2011, 03:42 AM   #4
fernandomerces
LQ Newbie
 
Registered: Jun 2011
Location: Brazil
Distribution: Debian Wheezy
Posts: 11

Rep: Reputation: Disabled
Humm, I thinkt ppolicy OpenLDAP module can help you. See http://linux.die.net/man/5/slapo-ppolicy for more information.

Good luck.
 
Old 06-16-2011, 05:03 AM   #5
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,000
Blog Entries: 11

Rep: Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893
Quote:
Originally Posted by fernandomerces View Post
Humm, I thinkt ppolicy OpenLDAP module can help you. See http://linux.die.net/man/5/slapo-ppolicy for more information.

Good luck.
I'm curious ... how will the policy notify users of an impending
password expiry?


Cheers,
Tink
 
Old 06-16-2011, 10:13 AM   #6
fernandomerces
LQ Newbie
 
Registered: Jun 2011
Location: Brazil
Distribution: Debian Wheezy
Posts: 11

Rep: Reputation: Disabled
Quote:
Originally Posted by Tinkster View Post
I'm curious ... how will the policy notify users of an impending
password expiry?

Cheers,
Tink
The server will answer a "Password Policy Response" and the client needs to handle it. For example, when logging in system with an OpenLDAP account, pam_ldap module handle it.

BR
 
Old 06-16-2011, 01:25 PM   #7
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,000
Blog Entries: 11

Rep: Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893
Quote:
The server will answer a "Password Policy Response" and the client needs to handle it. For example, when logging in system with an OpenLDAP account, pam_ldap module handle it.
But their problem is that people don't log in, their passwords expire
and then they can't log in. He wants people to be alerted of an upcoming
expiry ahead of time (or at least that's my understanding).



Cheers,
Tink
 
Old 06-16-2011, 01:51 PM   #8
fernandomerces
LQ Newbie
 
Registered: Jun 2011
Location: Brazil
Distribution: Debian Wheezy
Posts: 11

Rep: Reputation: Disabled
You're right, ppolicy will answer only if asked but since users log in regularly, you still can warn users before their password expires with pwdExpireWarning attribute.

BR
 
Old 06-16-2011, 03:30 PM   #9
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,000
Blog Entries: 11

Rep: Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893Reputation: 893
Quote:
Originally Posted by fernandomerces View Post
You're right, ppolicy will answer only if asked but since users log in regularly, you still can warn users before their password expires with pwdExpireWarning attribute.

BR
Heh. Unfortunately that's not always the case. We have users
who will sit dormant for months at a time, and then when they
finally wish to login again they call us up. Testers, for example,
who work on projects, and don't need the shell on a daily basis.


He (the OP) seems to have a similar situation.



Cheers,
Tink
 
Old 06-16-2011, 04:45 PM   #10
fernandomerces
LQ Newbie
 
Registered: Jun 2011
Location: Brazil
Distribution: Debian Wheezy
Posts: 11

Rep: Reputation: Disabled
Quote:
Originally Posted by Tinkster View Post
Heh. Unfortunately that's not always the case. We have users
who will sit dormant for months at a time, and then when they
finally wish to login again they call us up. Testers, for example,
who work on projects, and don't need the shell on a daily basis.

He (the OP) seems to have a similar situation.

Cheers,
Tink
I understand. Well, in this case I think scripting is the only way. Sorry the misunderstanding.

BR
 
Old 06-17-2011, 07:04 AM   #11
Doknik
LQ Newbie
 
Registered: Jun 2010
Posts: 26

Original Poster
Rep: Reputation: 1
Guys thank you all very much for your help i really appreciate it ... i will research into how to use the ppolicy OpenLDAP that Fenandomerces suggested it seems promising Fernando i dont want to reinvent the wheel but is there a more direct step by step guide on how to do this also if i do this successfully this i will document it and send you a copy or share the knowledge. any other suggestion will be appreciated Gurus keep replying..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Password expiry notification via mail athreyavc Linux - Security 8 09-17-2010 05:40 AM
password expiry notification through mail? dsids Linux - Security 1 06-02-2006 04:00 PM
password expiry notification through mail? dsids Linux - Newbie 2 06-02-2006 03:48 PM
Password expiry klmn1 Linux - Networking 0 12-29-2002 11:29 PM


All times are GMT -5. The time now is 10:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration