Re: detecting password expiration warnings by admin

[Tyler Gates <tgates81@gmail.com>]

On 03/15/2010 07:06 AM, Buchan Milne wrote:
> On Saturday, 13 March 2010 01:17:19 Tyler Gates wrote:
>   
>> Hi Guys,
>>     We are currently looking into implementing password expirations
>> (pwdMaxAge) along with password expiration warnings (pwdExpireWarning)
>> so that email notifications may be sent to those offending entries via a
>> cronjob run as the admin (or some other ACL user).
>>     
> You're not clear here on whether you already have a cron job for this, or 
> whether you are attempting to write one.
>   
I'm attempting to write one.
>   
>> The problem is, if I
>> understand it correctly, these warning messages are only relayed (via
>> password policy controls ?) when the USER itself binds to the tree. Is
>> there some other way for a privileged user to obtain these messages or
>> at least some other set attribute before pwdMaxAge has been reached?
>>     
> As far as I can see, no, the only way is to interpret the state values in the 
> DN along with the applicable password policy.
>
>   
>> If
>> you are thinking of increasing the pwdAuthGraceNLimit that wont work
>> because the user could login and try binding several other times through
>> the course of the day before receiving a "password is about to expire in
>> nlogin attempts" which is preformed each time they login to their machine.
>>
>> Below is an example of what works to get the info I need, binding as a
>> user (again not what I want):
>>     
> I have implemented as follows:
>
> 1)A script that can operate either as command-line passwd replacement, or CGI, 
> which allows the user to check their password and be prompted to change it if 
> it has expired, as well as handling any ppolicy errors during password change.
>
> 2)A perl script to search the directory for DN's whose passwords are about to 
> expire, sending them a mail notifying them when the password will expire, with 
> a link to the URL where (1) runs as a CGI
>
> 3)A script for the admin to unlock accounts that have been locked out, reset 
> their password, and send them a notification.
>
> I would like to merge (2) and (3), but I was in quite a hurry to get this 
> working as I had a number of users who were locked out at the time.
>
> The scripts (1) and (2) in their present state are available at 
> http://staff.telkomsa.net/~bgmilne/ldap/ . I am still trying to resolve one or 
> two issues, but they should be of use to you.
>
> If (3) would be useful to you, I will make that available as (or, an updated 
> (2) which has the functionality).
>
> Regards,
> Buchan
>   
Thanks Buchan. I was hoping to not have to resort to parsing LDAP values
but it appears to be the only way.
You're second script (find-ldap-expired.pl.old) IS what I'm looking for.
I am however having to change a few snippets to get it to work for me
and I think your pwdSubPolicyEntry parsing logic may not be quite right
-perhaps find dn's with pwdPolicySubPolicyEntry's store in a hash and
run through each valid policy, then those without any specified as being
assumed the $defaultpolicy? If you are interested I'll email you a copy
once I'm done.
Also, I can use the cgi password change script too. Currently our users
are blocked a login with a GTK password change tool if their password
has expired but for those pesky macbooks I'll need a web interface tool
to do the job.

Thanks again Buchan,
     Tyler