[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: detecting password expiration warnings by admin

To: Tyler Gates <tgates81@gmail.com>
Subject: Re: detecting password expiration warnings by admin
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Mon, 15 Mar 2010 20:42:26 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <4B9E7352.4030009@gmail.com>
References: <4B9AD98F.7090800@gmail.com> <201003151206.22765.bgmilne@staff.telkomsa.net> <4B9E7352.4030009@gmail.com>
User-agent: KMail/1.12.2 (Linux/2.6.31.12-desktop-1mnb; KDE/4.3.2; x86_64; ; )

On Monday, 15 March 2010 18:50:10 Tyler Gates wrote:
> On 03/15/2010 07:06 AM, Buchan Milne wrote:
> > On Saturday, 13 March 2010 01:17:19 Tyler Gates wrote:
> >> Hi Guys,
> >>     We are currently looking into implementing password expirations
> >> (pwdMaxAge) along with password expiration warnings (pwdExpireWarning)
> >> so that email notifications may be sent to those offending entries via a
> >> cronjob run as the admin (or some other ACL user).
> >
> > You're not clear here on whether you already have a cron job for this, or
> > whether you are attempting to write one.
> 
> I'm attempting to write one.
> 
> >> The problem is, if I
> >> understand it correctly, these warning messages are only relayed (via
> >> password policy controls ?) when the USER itself binds to the tree. Is
> >> there some other way for a privileged user to obtain these messages or
> >> at least some other set attribute before pwdMaxAge has been reached?
> >
> > As far as I can see, no, the only way is to interpret the state values in
> > the DN along with the applicable password policy.
> >
> >> If
> >> you are thinking of increasing the pwdAuthGraceNLimit that wont work
> >> because the user could login and try binding several other times through
> >> the course of the day before receiving a "password is about to expire in
> >> nlogin attempts" which is preformed each time they login to their
> >> machine.
> >>
> >> Below is an example of what works to get the info I need, binding as a
> >> user (again not what I want):
> >
> > I have implemented as follows:
> >
> > 1)A script that can operate either as command-line passwd replacement, or
> > CGI, which allows the user to check their password and be prompted to
> > change it if it has expired, as well as handling any ppolicy errors
> > during password change.
> >
> > 2)A perl script to search the directory for DN's whose passwords are
> > about to expire, sending them a mail notifying them when the password
> > will expire, with a link to the URL where (1) runs as a CGI
> >
> > 3)A script for the admin to unlock accounts that have been locked out,
> > reset their password, and send them a notification.
> >
> > I would like to merge (2) and (3), but I was in quite a hurry to get this
> > working as I had a number of users who were locked out at the time.
> >
> > The scripts (1) and (2) in their present state are available at
> > http://staff.telkomsa.net/~bgmilne/ldap/ . I am still trying to resolve
> > one or two issues, but they should be of use to you.
> >
> > If (3) would be useful to you, I will make that available as (or, an
> > updated (2) which has the functionality).
> >
> > Regards,
> > Buchan
> 
> Thanks Buchan. I was hoping to not have to resort to parsing LDAP values
> but it appears to be the only way.
> You're second script (find-ldap-expired.pl.old)

BTW, I corrected the permissions on the current version of it.

> IS what I'm looking for.
> I am however having to change a few snippets to get it to work for me
> and I think your pwdSubPolicyEntry parsing logic

Let me know if I missed any scenarios where users should or should not be 
notified.

> may not be quite right
> -perhaps find dn's with pwdPolicySubPolicyEntry's store in a hash and
> run through each valid policy, then those without any specified as being
> assumed the $defaultpolicy?

I prefer to let the LDAP server do the heavy lifting, by creating an 
appropriate filter based on the policy (and whether or not it is the default 
policy). In this way, only the required entries are returned, instead of 
pulling all the users and evaluating them on the client side. I haven't done 
any profiling, but I am quite sure in most real deployments, this is the more 
efficient method (assuming the attributes used in the search are indexed).

> If you are interested I'll email you a copy
> once I'm done.

Please look at the newer version first, there were substantial changes.

> Also, I can use the cgi password change script too. Currently our users
> are blocked a login with a GTK password change tool if their password
> has expired but for those pesky macbooks I'll need a web interface tool
> to do the job.

For users logging in to Unix desktops, the display manager should handle 
password changes (at least kdm does), but it's often necessary to provide a 
fall-back (e.g. if people can access services from outside the network, and 
need a means to change passwords from outside the network).

Regards,
Buchan

Follow-Ups:
- Re: detecting password expiration warnings by admin
  - From: Tyler Gates <tgates81@gmail.com>

References:
- detecting password expiration warnings by admin
  - From: Tyler Gates <tgates81@gmail.com>
- Re: detecting password expiration warnings by admin
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
- Re: detecting password expiration warnings by admin
  - From: Tyler Gates <tgates81@gmail.com>

Prev by Date: Re: detecting password expiration warnings by admin
Next by Date: Re: detecting password expiration warnings by admin
Index(es):
- Chronological
- Thread