Re: Get user password expiration date

[Mark Reynolds <mareynol@xxxxxxxxxx>]

Leo,

Would you mind if I put this script on our wiki page (http://www.port389.org)?

Thanks,
Mark

On 11/03/2016 09:49 AM, Leo Pleiman wrote:

I put together this little script, run from cron, to email my users when it's time to change their password. Feel free to use and chop up if you like..

#!/usr/bin/perl

# Name: check_password_expiration_date.pl

# Author: Leo Pleiman

# Date: July 11, 2013

# This is designed as a cron job to query the password expiration date on accounts and send an email

# of the impending expiration to the account owner and the Systems Admins

use Date::Calc qw( Delta_Days Today );

use Mail::Sendmail;

$cmd = "\/usr\/bin\/ldapsearch -x passwordexpirationtime=*|grep uid:|grep -v apple|cut -c6- >/tmp/users\n";

system $cmd;

open USERS, "/tmp/users" or die "Couldn't open file";

while (<USERS>) {

chomp;

$user = $_;

$USER = uc($user);

$cmd = "\/usr\/bin\/ldapsearch -x uid=$user + passwordexpirationtime|grep passwordexpirationtime:|cut -d: -f2|cut -c2-9 >/tmp/date\n";

system $cmd;

system "cat /tmp/date|cut -c1-4 >/tmp/year";

system "cat /tmp/date|cut -c5-6 >/tmp/month";

system "cat /tmp/date|cut -c7-8 >/tmp/day";

open FILE, "/tmp/year" or die "Couldn't open file";

while (<FILE>) {

chomp;

$YEAR = $_;

close FILE;

}

open FILE, "/tmp/month" or die "Couldn't open file";

while (<FILE>) {

chomp;

$MONTH = $_;

close FILE;

}

open FILE, "/tmp/day" or die "Couldn't open file";

while (<FILE>) {

chomp;

$DAY = $_;

close FILE;

}

($YEAR2,$MONTH2,$DAY2) = Today();

$days = Delta_Days($YEAR2,$MONTH2,$DAY2, $YEAR,$MONTH,$DAY);

$DAYS = $days - 7;

#print "$days   $DAYS   $USER\n";

if ($DAYS <= 7 ) {

if ($DAYS <= 0 ) {

%mail = ( To      => "$user\@example.com",

  Cc      => 'systemsgroup@xxxxxxxxxxx',

                          From    => 'systemsgroup@xxxxxxxxxxx',

                          Subject => "$USER YOUR PASSWORD HAS EXPIRED",

                          Message => "$user, your password has expired. You have a limited number of logins avaliable before your account will be locked. Proceed immediately to blah, blah, blah\n   sysref $days"

                        );

                sendmail(%mail) or die $Mail::Sendmail::error;

                }

else {

%mail = ( To      => "$user\@example.com",

                          From    => 'systemsgroup@xxxxxxxxxxx',

                          Subject => "$USER YOUR PASSWORD IS ABOUT TO EXPIRE",

                          Message => "$user, your password will expire in $DAYS days. Reference blah, blah, blah  instructions on changing your password."

);

sendmail(%mail) or die $Mail::Sendmail::error;

# print "OK. Log says:\n", $Mail::Sendmail::log;

}

}

}

close USERS;

system "cd /tmp;rm -rf users date year month day";

exit

Leo Pleiman

Senior System Engineer

Direct 202-787-3622

Cell 410-688-3873

DonorPro merged with Salsa, read about it here.

On Thu, Nov 3, 2016 at 9:37 AM, Predrag Zečević - Technical Support Analyst <predrag.zecevic@xxxxxxxxxxxxxx> wrote:

On 11/ 3/16 01:21 PM, Mark Reynolds wrote:

Todor,

All you need to do is request the passwordexpirationtime attribute from
the user entry:

For example:

# ldapsearch -D "cn=directory manager" -W -b "dc=domain,dc=com"
uid=USERID passwordexpirationtime

Regards,
Mark

Hi,

there are also more password attributes:
$ ldapsearch -xLLLD "cn=directory manager" -W -b "dc=my-domain,dc=com" uid=USERID passwordExpirationTime passwordExpWarned passwordGraceUserTime passwordRetryCount passwordAllowChangeTime passwordHistory

With best regards.
Predrag Zečević

On 11/03/2016 03:10 AM, Todor Petkov wrote:

Hello,

I am trying to get the user password expiration date, so I can write a
script to send warning email before this. I am running the following:
ldapsearch -v -LLLx -h localhost -b
'cn="cn=nsPwPolicyEntry,uid=user,ou=People,dc=domain,dc=com",cn=nsPwPolicyContainer,ou=People,dc=domain,dc=com'
"(objectclass=ldapsubentry)"

But I don't see such attribute in the results. Can you give me a hint
what's the ldap query? My versions are:

389-admin-console-1.1.8-1.el6.noarch
389-ds-1.2.2-1.el6.noarch
389-adminutil-1.1.19-1.el6.x86_64
389-ds-base-libs-1.2.11.15-75.el6_8.x86_64
389-ds-base-1.2.11.15-75.el6_8.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-admin-console-doc-1.1.8-1.el6.noarch
389-admin-1.1.35-1.el6.x86_64
389-console-1.1.7-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-dsgw-1.1.11-1.el6.x86_64


Thanks in advance,
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org

_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org

--
Predrag Zečević
Technical Support Analyst
2e Systems GmbH

Telephone: +49 6196 9505 815, Facsimile: +49 6196 9505 894
Mobile:    +49 174 3109 288,     Skype: predrag.zecevic
E-mail:    predrag.zecevic@xxxxxxxxxxxxxx

Headquarter:          2e Systems GmbH, Königsteiner Str. 87,
                      65812 Bad Soden am Taunus, Germany
Company registration: Amtsgericht Königstein (Germany), HRB 7303
Managing director:    Phil Douglas

http://www.2e-systems.com/ - Making your business fly!
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx