Hi everyone, I thought that others may find this useful; we have migrated away from local accounts to fds, but needed a way to detect password changes to user objects in fds; there are 2 scripts involved with this; the first will generate a list of uids and their password expiration times ; the second script (a perl script) will use epoch time to determine if a given users password expiration time is 90 days from today; the scripts assume that there is an fds password policy set that will force user object passwords to expire 90 days after being set. I'm sure that others will be able to make these scripts more efficient, but they do get the job done....Enjoy. Aaron #!/bin/bash #this script is designed to detect user for password changes #located in the ldap directory #this script assumes your password policy is set so that user object's #will have a passwordExpiration time of 90 days after settting their passwords #generate a list of dn's ldapsearch -b ou=Users,dc=preferredcare,dc=org -x -ZZ uid | grep '^uid' | awk ' {print $2}' | sort > /tmp/listdns #lets process our logs exec < /tmp/listdns while read line do pswar=`ldapsearch -x -ZZ "(uid=$line)" passwordexpirationtime | grep passwordexpirationtime | grep -v '#' | awk '{print $2}' | cut -c 1-8` #setup some vars for the check pwmonth=`echo $pswar | cut -c 5-6` pwday=`echo $pswar | cut -c 7-8` pwyear=`echo $pswar | cut -c 1-4` pwuser=`echo $line | awk '{ print $1}'` if [ -e /tmp/$pwuser.out ] ; then rm -f /tmp/$pwuser.out fi #perl script expects input year month day /myepoch.pl $pwyear $pwmonth $pwday $pwuser # echo $line | awk '{ print $1}' #this is going to get our expiration dates for us #check to see if the temp file was created if [ -e /tmp/$pwuser.out ] ; then echo "$pwuser password was chagned" fi Done #! /usr/bin/perl use strict; use warnings; use Time::Local; #epoch secs for 2 weeks equal 1209600 #setup vars that were passed in year, month, day in that order my $varpass0 = $ARGV[0]; my $varpass1 = $ARGV[1]; my $varpass2 = $ARGV[2]; my $varpass3 = $ARGV[3]; #timelocal doesn't work for dates past the year 2038 if ($varpass0 >= 2038) { exit 0; } #get todays date and format it properly #beaware localtime is going to format year-1900 and month-1 my ($mday,$mmonth,$myear) = (localtime(time)) [3,4,5]; my $epdate = timelocal (0,0,0,$mday,$mmonth,$myear); #get epoch date for when password will expire #we have to format what was passed to us to make it usable by timelocal my $varpass00 = $varpass0 - 1900; my $varpass11 = $varpass1 - 1; my $passexp = timelocal (0,0,0,$varpass2,$varpass11,$varpass00); #subtract password expiration from today and see what we get my $passans = ($passexp - $epdate) / 86400; #lets see where we stand #and send a warning to the end users if necessary my $passans1 = int($passans); #set this to be 1 less than your password expiration policy if ($passans > 89) { open(NEW, "> /tmp/$varpass3.out"); print NEW "$passans1\n"; close NEW; } Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20070213/c60cec50/attachment.html