[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: detecting password expiration warnings by admin



Hey Buchan,

find-ldap-expired.pl

on the link you posted gives an "Access forbidden" (I can get all
others).

Thanks,
John


-----Original Message-----
From:
openldap-technical-bounces+john.kane=prodeasystems.com@OpenLDAP.org
[mailto:openldap-technical-bounces+john.kane=prodeasystems.com@OpenLDAP.
org] On Behalf Of Buchan Milne
Sent: Monday, March 15, 2010 6:06 AM
To: openldap-technical@openldap.org
Cc: Tyler Gates
Subject: Re: detecting password expiration warnings by admin

On Saturday, 13 March 2010 01:17:19 Tyler Gates wrote:
> Hi Guys,
>     We are currently looking into implementing password expirations
> (pwdMaxAge) along with password expiration warnings (pwdExpireWarning)
> so that email notifications may be sent to those offending entries via
a
> cronjob run as the admin (or some other ACL user).

You're not clear here on whether you already have a cron job for this,
or 
whether you are attempting to write one.

> The problem is, if I
> understand it correctly, these warning messages are only relayed (via
> password policy controls ?) when the USER itself binds to the tree. Is
> there some other way for a privileged user to obtain these messages or
> at least some other set attribute before pwdMaxAge has been reached?

As far as I can see, no, the only way is to interpret the state values
in the 
DN along with the applicable password policy.

> If
> you are thinking of increasing the pwdAuthGraceNLimit that wont work
> because the user could login and try binding several other times
through
> the course of the day before receiving a "password is about to expire
in
> nlogin attempts" which is preformed each time they login to their
machine.
> 
> Below is an example of what works to get the info I need, binding as a
> user (again not what I want):

I have implemented as follows:

1)A script that can operate either as command-line passwd replacement,
or CGI, 
which allows the user to check their password and be prompted to change
it if 
it has expired, as well as handling any ppolicy errors during password
change.

2)A perl script to search the directory for DN's whose passwords are
about to 
expire, sending them a mail notifying them when the password will
expire, with 
a link to the URL where (1) runs as a CGI

3)A script for the admin to unlock accounts that have been locked out,
reset 
their password, and send them a notification.

I would like to merge (2) and (3), but I was in quite a hurry to get
this 
working as I had a number of users who were locked out at the time.

The scripts (1) and (2) in their present state are available at 
http://staff.telkomsa.net/~bgmilne/ldap/ . I am still trying to resolve
one or 
two issues, but they should be of use to you.

If (3) would be useful to you, I will make that available as (or, an
updated 
(2) which has the functionality).

Regards,
Buchan



This message is confidential to Prodea Systems, Inc unless otherwise indicated 
or apparent from its nature. This message is directed to the intended recipient 
only, who may be readily determined by the sender of this message and its 
contents. If the reader of this message is not the intended recipient, or an 
employee or agent responsible for delivering this message to the intended 
recipient:(a)any dissemination or copying of this message is strictly 
prohibited; and(b)immediately notify the sender by return message and destroy 
any copies of this message in any form(electronic, paper or otherwise) that you 
have.The delivery of this message and its information is neither intended to be 
nor constitutes a disclosure or waiver of any trade secrets, intellectual 
property, attorney work product, or attorney-client communications. The 
authority of the individual sending this message to legally bind Prodea Systems  
is neither apparent nor implied,and must be independently verified.