[Date Prev][Date Next] [Chronological] [Thread] [Top]

detecting password expiration warnings by admin



Hi Guys,
    We are currently looking into implementing password expirations
(pwdMaxAge) along with password expiration warnings (pwdExpireWarning)
so that email notifications may be sent to those offending entries via a
cronjob run as the admin (or some other ACL user). The problem is, if I
understand it correctly, these warning messages are only relayed (via
password policy controls ?) when the USER itself binds to the tree. Is
there some other way for a privileged user to obtain these messages or
at least some other set attribute before pwdMaxAge has been reached? If
you are thinking of increasing the pwdAuthGraceNLimit that wont work
because the user could login and try binding several other times through
the course of the day before receiving a "password is about to expire in
nlogin attempts" which is preformed each time they login to their machine.

Below is an example of what works to get the info I need, binding as a
user (again not what I want):


#####################################################################################################
#!/usr/bin/perl

use strict;
use Net::LDAP;
use Net::LDAP::Constant qw(LDAP_EXTENSION_START_TLS);
use Net::LDAP::Control::PasswordPolicy;
use Net::LDAP::Constant qw(LDAP_CONTROL_PASSWORDPOLICY);
use POSIX;

my $ldap_host = "ldap://hostname.mydomain.com";;
my $ldap_port = "389";
my $ldap = Net::LDAP->new($ldap_host, port => $ldap_port);
my $seconds_in_a_day = 86400;
my $seconds_in_an_hour = 3600;

my $pp = Net::LDAP::Control::PasswordPolicy->new;

my $mesg = $ldap->bind("uid=someuser,ou=People,dc=mydomain,dc=com",
              password => "secret",
              control => [ $pp ] );

# Get password policy reponse
my($resp)  = $mesg->control(LDAP_CONTROL_PASSWORDPOLICY);

if (defined($resp)) {
        my $v = $resp->pp_error;
        print "Password policy error $v\n" if defined $v;
        $v = $resp->time_before_expiration;
        my $days = ceil($v/$seconds_in_a_day);
        my $hours = ($v/$seconds_in_an_hour);
        print "Your password expires in less than $days day(s) ($hours
hour(s))\n" if defined $v;
}
####################################################################################################