[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: detecting password expiration warnings by admin
- To: Buchan Milne <bgmilne@staff.telkomsa.net>
- Subject: Re: detecting password expiration warnings by admin
- From: Tyler Gates <tgates81@gmail.com>
- Date: Mon, 15 Mar 2010 18:43:17 -0400
- Cc: openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=95mGmwdRjObE0BjLGlcxJB3zzJ3zJWPUOYr1nfULbPU=; b=sPfrn6OEOfEQFxr451c7sdaj2p8Bn6+zWYzGGpkaix+Re4NqlfxlZTUUzYmnYFQYaH Tu9sDvVh2FZqxUdJAIMRCHOz4fZnO7GIC/NeXgI5fqZfndJP75Uf5CW4f7PzhN9gSl1a SEBBOqn7FouZ9gvIrrb8dGyV+4doXp6uDLC7c=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=qKB5cexRdBYfwUm/df83TjfIfgUAxpVGz+mMjLBB/f+0q+pdyo4nUopCtyw917muzg BX2fQynqU+ao6geTRKVX/YjdJQ0q6prHAj3aGQGNP4QK3bpsFmb+mF9A+bWp9f5N8Nq5 f2nG6zLWTVgG2y9T3qFvrM2RP0O1f+PeI1Km4=
- In-reply-to: <201003152042.26291.bgmilne@staff.telkomsa.net>
- References: <4B9AD98F.7090800@gmail.com> <201003151206.22765.bgmilne@staff.telkomsa.net> <4B9E7352.4030009@gmail.com> <201003152042.26291.bgmilne@staff.telkomsa.net>
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.8) Gecko/20100313 Thunderbird/3.0.3
On 03/15/2010 03:42 PM, Buchan Milne wrote:
> On Monday, 15 March 2010 18:50:10 Tyler Gates wrote:
>
>> On 03/15/2010 07:06 AM, Buchan Milne wrote:
>>
>>> On Saturday, 13 March 2010 01:17:19 Tyler Gates wrote:
>>>
>>>> Hi Guys,
>>>> We are currently looking into implementing password expirations
>>>> (pwdMaxAge) along with password expiration warnings (pwdExpireWarning)
>>>> so that email notifications may be sent to those offending entries via a
>>>> cronjob run as the admin (or some other ACL user).
>>>>
>>> You're not clear here on whether you already have a cron job for this, or
>>> whether you are attempting to write one.
>>>
>> I'm attempting to write one.
>>
>>
>>>> The problem is, if I
>>>> understand it correctly, these warning messages are only relayed (via
>>>> password policy controls ?) when the USER itself binds to the tree. Is
>>>> there some other way for a privileged user to obtain these messages or
>>>> at least some other set attribute before pwdMaxAge has been reached?
>>>>
>>> As far as I can see, no, the only way is to interpret the state values in
>>> the DN along with the applicable password policy.
>>>
>>>
>>>> If
>>>> you are thinking of increasing the pwdAuthGraceNLimit that wont work
>>>> because the user could login and try binding several other times through
>>>> the course of the day before receiving a "password is about to expire in
>>>> nlogin attempts" which is preformed each time they login to their
>>>> machine.
>>>>
>>>> Below is an example of what works to get the info I need, binding as a
>>>> user (again not what I want):
>>>>
>>> I have implemented as follows:
>>>
>>> 1)A script that can operate either as command-line passwd replacement, or
>>> CGI, which allows the user to check their password and be prompted to
>>> change it if it has expired, as well as handling any ppolicy errors
>>> during password change.
>>>
>>> 2)A perl script to search the directory for DN's whose passwords are
>>> about to expire, sending them a mail notifying them when the password
>>> will expire, with a link to the URL where (1) runs as a CGI
>>>
>>> 3)A script for the admin to unlock accounts that have been locked out,
>>> reset their password, and send them a notification.
>>>
>>> I would like to merge (2) and (3), but I was in quite a hurry to get this
>>> working as I had a number of users who were locked out at the time.
>>>
>>> The scripts (1) and (2) in their present state are available at
>>> http://staff.telkomsa.net/~bgmilne/ldap/ . I am still trying to resolve
>>> one or two issues, but they should be of use to you.
>>>
>>> If (3) would be useful to you, I will make that available as (or, an
>>> updated (2) which has the functionality).
>>>
>>> Regards,
>>> Buchan
>>>
>> Thanks Buchan. I was hoping to not have to resort to parsing LDAP values
>> but it appears to be the only way.
>> You're second script (find-ldap-expired.pl.old)
>>
> BTW, I corrected the permissions on the current version of it.
>
>
>> IS what I'm looking for.
>> I am however having to change a few snippets to get it to work for me
>> and I think your pwdSubPolicyEntry parsing logic
>>
> Let me know if I missed any scenarios where users should or should not be
> notified.
>
>
>> may not be quite right
>> -perhaps find dn's with pwdPolicySubPolicyEntry's store in a hash and
>> run through each valid policy, then those without any specified as being
>> assumed the $defaultpolicy?
>>
> I prefer to let the LDAP server do the heavy lifting, by creating an
> appropriate filter based on the policy (and whether or not it is the default
> policy). In this way, only the required entries are returned, instead of
> pulling all the users and evaluating them on the client side. I haven't done
> any profiling, but I am quite sure in most real deployments, this is the more
> efficient method (assuming the attributes used in the search are indexed).
>
Yes you are right, I misunderstood how you were running through the loop
with your filters -it does cover all bases.
I think the whole 'work backwards from the current time' approach can be
a bit confusing to follow. Just curious, was there a reason you didn't
just take the pwdChangeTime, add it by the approriate pwdExpireWarning
and pwdMaxAge and compare those values with the current time?
>
>> If you are interested I'll email you a copy
>> once I'm done.
>>
> Please look at the newer version first, there were substantial changes.
>
>
>> Also, I can use the cgi password change script too. Currently our users
>> are blocked a login with a GTK password change tool if their password
>> has expired but for those pesky macbooks I'll need a web interface tool
>> to do the job.
>>
> For users logging in to Unix desktops, the display manager should handle
> password changes (at least kdm does), but it's often necessary to provide a
> fall-back (e.g. if people can access services from outside the network, and
> need a means to change passwords from outside the network).
>
> Regards,
> Buchan
>
Correct but in our environment GDM is too outdated (we are halted with
Fedora 7) to be able handle such as task.
Your CGI script is exactly what I had in mind to write next. ;)