[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: detecting password expiration warnings by admin
- To: openldap-technical@openldap.org
- Subject: Re: detecting password expiration warnings by admin
- From: Tyler Gates <tgates81@gmail.com>
- Date: Mon, 15 Mar 2010 13:50:10 -0400
- Cc: Buchan Milne <bgmilne@staff.telkomsa.net>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=Dh+jEerr+5y/TiJSRLfFGhV5BZysBmJz0B/iqQKrKnw=; b=ENEac89ufj1+IicIq1/SKMiSuV02K/W+wmDdtlM2nIaEUWSOLX9UT3ywFH2lmNYAHi OXyp/+04LZW2FDuibiSRODONt1bTqVuTIjtXMYuBQqehg09OQm3E7DxV5eyVC1ZSpW0j SkqyIoz0mwgl55gn2LHx5/qYjnMYbAuFlu6WU=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=Wu7hK6HqaFutumfBtvneznYDa2nUo03DVf5Sj/yyEyxY8gtfaFZnSIfswn6NUg5xF4 prQAKpzyELqv/vc3hTrqKWMjX2+xaZkmYL4Mj5TcuSBg6/FPPA0i3Fe4dOrwgyCxJuBt NFgXAopXoBU+l8zLSk0cM13XR3trj8v1wwtsw=
- In-reply-to: <201003151206.22765.bgmilne@staff.telkomsa.net>
- References: <4B9AD98F.7090800@gmail.com> <201003151206.22765.bgmilne@staff.telkomsa.net>
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.8) Gecko/20100313 Thunderbird/3.0.3
On 03/15/2010 07:06 AM, Buchan Milne wrote:
> On Saturday, 13 March 2010 01:17:19 Tyler Gates wrote:
>
>> Hi Guys,
>> We are currently looking into implementing password expirations
>> (pwdMaxAge) along with password expiration warnings (pwdExpireWarning)
>> so that email notifications may be sent to those offending entries via a
>> cronjob run as the admin (or some other ACL user).
>>
> You're not clear here on whether you already have a cron job for this, or
> whether you are attempting to write one.
>
I'm attempting to write one.
>
>> The problem is, if I
>> understand it correctly, these warning messages are only relayed (via
>> password policy controls ?) when the USER itself binds to the tree. Is
>> there some other way for a privileged user to obtain these messages or
>> at least some other set attribute before pwdMaxAge has been reached?
>>
> As far as I can see, no, the only way is to interpret the state values in the
> DN along with the applicable password policy.
>
>
>> If
>> you are thinking of increasing the pwdAuthGraceNLimit that wont work
>> because the user could login and try binding several other times through
>> the course of the day before receiving a "password is about to expire in
>> nlogin attempts" which is preformed each time they login to their machine.
>>
>> Below is an example of what works to get the info I need, binding as a
>> user (again not what I want):
>>
> I have implemented as follows:
>
> 1)A script that can operate either as command-line passwd replacement, or CGI,
> which allows the user to check their password and be prompted to change it if
> it has expired, as well as handling any ppolicy errors during password change.
>
> 2)A perl script to search the directory for DN's whose passwords are about to
> expire, sending them a mail notifying them when the password will expire, with
> a link to the URL where (1) runs as a CGI
>
> 3)A script for the admin to unlock accounts that have been locked out, reset
> their password, and send them a notification.
>
> I would like to merge (2) and (3), but I was in quite a hurry to get this
> working as I had a number of users who were locked out at the time.
>
> The scripts (1) and (2) in their present state are available at
> http://staff.telkomsa.net/~bgmilne/ldap/ . I am still trying to resolve one or
> two issues, but they should be of use to you.
>
> If (3) would be useful to you, I will make that available as (or, an updated
> (2) which has the functionality).
>
> Regards,
> Buchan
>
Thanks Buchan. I was hoping to not have to resort to parsing LDAP values
but it appears to be the only way.
You're second script (find-ldap-expired.pl.old) IS what I'm looking for.
I am however having to change a few snippets to get it to work for me
and I think your pwdSubPolicyEntry parsing logic may not be quite right
-perhaps find dn's with pwdPolicySubPolicyEntry's store in a hash and
run through each valid policy, then those without any specified as being
assumed the $defaultpolicy? If you are interested I'll email you a copy
once I'm done.
Also, I can use the cgi password change script too. Currently our users
are blocked a login with a GTK password change tool if their password
has expired but for those pesky macbooks I'll need a web interface tool
to do the job.
Thanks again Buchan,
Tyler