Automatic Password Expiry Notification Tool for LDAP and AD
 

Hi,
I am looking for a recommended automatic password expiration notification tool Can anyone advice on the best secure and most recommended tool out there, commercial or free preferably free.
We run a Linux and Windows platform that uses windows Active Directory and OpenLDAP 2.3.43-3.el5 to authenticate users. However we do get a lot of users requesting password resets particularly in the Linux environment and we need a good ,tried and tested automated tool or script that can manage this .We need an LDAP and Active Directory tool that notifies users particularly Linux users automatically days before their password will expire and force them to change it themselves or have it reset by the Linux administrator.I am kinda new to LDAP is tere any such facility withing OpenLDAP?
I have read about Netwrix and Novell Tools but not sure if these are tried and tested tools.
Any advice will be greatly appreciated.

I haven't stumbled upon a ready made tool to do this, but using
perl or shell script (in combination with ldapsearch) it should
be easy enough to script a solution. All it takes is to pull all
users pwdChangedTime attribute, and do some date maths on it.
Run from a cron job, and you're done.


Cheers,
Tink

Thanks for your help

Humm, I thinkt ppolicy OpenLDAP module can help you. See http://linux.die.net/man/5/slapo-ppolicy for more information. ;)

Good luck.

I'm curious ... how will the policy notify users of an impending
password expiry?


Cheers,
Tink

The server will answer a "Password Policy Response" and the client needs to handle it. For example, when logging in system with an OpenLDAP account, pam_ldap module handle it.

BR

But their problem is that people don't log in, their passwords expire
and then they can't log in. He wants people to be alerted of an upcoming
expiry ahead of time (or at least that's my understanding).



Cheers,
Tink

You're right, ppolicy will answer only if asked but since users log in regularly, you still can warn users before their password expires with pwdExpireWarning attribute. ;)

BR

Heh. Unfortunately that's not always the case. We have users
who will sit dormant for months at a time, and then when they
finally wish to login again they call us up. Testers, for example,
who work on projects, and don't need the shell on a daily basis.


He (the OP) seems to have a similar situation.



Cheers,
Tink

I understand. Well, in this case I think scripting is the only way. Sorry the misunderstanding.

BR

Guys thank you all very much for your help i really appreciate it ... i will research into how to use the ppolicy OpenLDAP that Fenandomerces suggested it seems promising Fernando i dont want to reinvent the wheel but is there a more direct step by step guide on how to do this also if i do this successfully this i will document it and send you a copy or share the knowledge. any other suggestion will be appreciated Gurus keep replying..