[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
detecting password expiration warnings by admin
- To: openldap-technical@openldap.org
- Subject: detecting password expiration warnings by admin
- From: Tyler Gates <tgates81@gmail.com>
- Date: Fri, 12 Mar 2010 19:17:19 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=amhBtCfmX7pL011Y5sdOjJLfh4aoYw8a8pUmnp40Xl4=; b=CF2buH1yQcbnSmgD/xcqxKspm2ZFkaqtKaNrlwgxj8aoatVfGGHicOTJ+qjupN4agq 9oqPKQrDZZuIVX6GwkCPdCya8MmESqfps1UgqLsHQKMkWRDD2TjPJMFGmKk64qQqjktv Qr2DEIac7M2rthBmNfXfdANV/rKjwqe9r8O1U=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=Lq79dVaXe1qoxDZ+cF0KSeauTRjMspKL9iQuzm04DgMQinUeyd2cQsZMQg04fNnEUy D+FVHhpZWxDUYDIqHW4PZVk7ar6HxSe2h0O/dGATz3w2x2eAxgEY5RDoDoAgngaCXYKw WNDjfL/ODOoDXy4tJFY3jrx6QOqiFC4azJ6xc=
- User-agent: Thunderbird 2.0.0.23 (X11/20100303)
Hi Guys,
We are currently looking into implementing password expirations
(pwdMaxAge) along with password expiration warnings (pwdExpireWarning)
so that email notifications may be sent to those offending entries via a
cronjob run as the admin (or some other ACL user). The problem is, if I
understand it correctly, these warning messages are only relayed (via
password policy controls ?) when the USER itself binds to the tree. Is
there some other way for a privileged user to obtain these messages or
at least some other set attribute before pwdMaxAge has been reached? If
you are thinking of increasing the pwdAuthGraceNLimit that wont work
because the user could login and try binding several other times through
the course of the day before receiving a "password is about to expire in
nlogin attempts" which is preformed each time they login to their machine.
Below is an example of what works to get the info I need, binding as a
user (again not what I want):
#####################################################################################################
#!/usr/bin/perl
use strict;
use Net::LDAP;
use Net::LDAP::Constant qw(LDAP_EXTENSION_START_TLS);
use Net::LDAP::Control::PasswordPolicy;
use Net::LDAP::Constant qw(LDAP_CONTROL_PASSWORDPOLICY);
use POSIX;
my $ldap_host = "ldap://hostname.mydomain.com";
my $ldap_port = "389";
my $ldap = Net::LDAP->new($ldap_host, port => $ldap_port);
my $seconds_in_a_day = 86400;
my $seconds_in_an_hour = 3600;
my $pp = Net::LDAP::Control::PasswordPolicy->new;
my $mesg = $ldap->bind("uid=someuser,ou=People,dc=mydomain,dc=com",
password => "secret",
control => [ $pp ] );
# Get password policy reponse
my($resp) = $mesg->control(LDAP_CONTROL_PASSWORDPOLICY);
if (defined($resp)) {
my $v = $resp->pp_error;
print "Password policy error $v\n" if defined $v;
$v = $resp->time_before_expiration;
my $days = ceil($v/$seconds_in_a_day);
my $hours = ($v/$seconds_in_an_hour);
print "Your password expires in less than $days day(s) ($hours
hour(s))\n" if defined $v;
}
####################################################################################################