Results 1 to 5 of 5

Thread: Ldap/AD password expiration/renew

  1. #1
    Join Date
    Oct 2008
    Posts
    50
    Rep Power
    7

    Default Ldap/AD password expiration/renew

    Zimbra well manage user auth in Ldap/AD but how to manage the expiration of password (suppose i set the expire in AD after 90days and i have a set of users that use only the mail with AD auth but never access the domain from a pc)? Is there a way, without a custom-ad-hoc script, to email the soon expiration of the password x days before? And a way to renew from zimbra interface?

    Thanks in advice. L

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

  3. #3
    Join Date
    Jan 2008
    Posts
    19
    Rep Power
    7

    Default

    I have created a script that can you can use to notify users, you can add it to the zimbra cron (crontab -e as zimbra) to have it run daily.

    I don't think it will work with an external LDAP but you could modify it with an ldap query to get the change date.

    Code:
    #!/bin/bash
    ## Script to check if a users password is expiring.
    ##
    ## Info:
    ## This script will start to warn the user when they have 5 days left, send a critical 
    ## warning to both the user and IT on one day left and, notify IT of users with expired 
    ## passwords. It logs to /var/log/cron.
    ##
    ## Usage:
    ## This should be run as a cron every day, it must run as the zimbra user.
    
    
    ### -- enter settings here -- ###
    
    ## E-mail address that gets IT notifications.
    NOTIFICATION=admin@example.com
    
    ## The domain we run against.
    DOMAIN=example.com
    
    ## Number of days for a warning.
    WARNAT=5
    
    ## Number of days for a critical warning.
    CRITWARNAT=1
    
    ## Enter address you do not want to test here. Pipe "|" separated
    EXEMPTEDADDRESS="admin@example.com|wiki@example.com|whatever@example.com"
    
    ## Web address of the location a user can change their password.
    CHANGEURL=https://zimbra.example.com
    
    
    ### -- end settings -- ###
    
    
    echo ""
    echo "Password Expire"
    echo "============================================"
    echo "LAUNCHED: `date`"
    logger -p cron.info -t PASSWORD_EXPIRE script running.
    
    # Pull the expire value from zimbra and set variables for warning / critical.
    EXPIREVAL=`zmprov gc default zimbraPasswordMaxAge | sed 's/[^0-9]//g'| sed -n '/[0-9]/p'`
    EXCRITVAL=$(($EXPIREVAL - $CRITWARNAT ))
    EXWARNVAL=$(($EXPIREVAL - $WARNAT ))
    
    
    # The big loop.
    # Get accounts from Zimbra. (Skipping some internal accounts even though they wont cause problems)
    for USER in `zmprov gaa $DOMAIN | egrep -v -e $EXEMPTEDADDRESS`; do
    
    
      # Feedback
      echo -n "Preforming test on... $USER"
    
    
      # Pull the users last password modified time from Zimbra.
      CHANGEDATE=`zmprov ga $USER zimbraPasswordModifiedTime | sed 's/[^0-9]//g'| sed -n '/[0-9]/p' | cut -c 1-8`
    
    
      # Deal with a condition where user has no password set.
      # This can be, because it was never set, or the users
      # password does not expire as exempted by admin.
      if [[ ${#CHANGEDATE} != 8 ]]; then
    	echo " Oops! no password or expire not set for $USER - user skipped."
    	logger -p cron.info -t PASSWORD_EXPIRE - No password or expire not set for $USER
    	continue
      fi 
    
    
      # Set variables and get the date in a form we can preform 
      # mathematical expressions it.
      CURDATE=`date +%Y%m%d`
      DAYCUR=$((`date -d $CHANGEDATE +%s` / 86400 ))
      DAYCHANGE=$((`date -d $CURDATE +%s` / 86400 ))
      DIF=$(($DAYCHANGE - $DAYCUR))
    
    
      # This is the main part, it checks and sends mail upon
      # various conditions.
      if [[ $DIF -ge $EXPIREVAL ]]; then
    	WARN=0
    	WARNIT=1
    	echo -n " WARNING $USER password has expired."
    		mail -s "User Password has expired." $NOTIFICATION  <<-END
    			The password for user ${USER} has expired by ${DIF} days.
    		END
     	logger -p cron.info -t PASSWORD_EXPIRE - $USER password has expired.
    
      elif [[ $DIF -ge $EXCRITVAL ]]; then
    	WARN=1
    	WARNIT=1
    	echo -n " WARNING $USER password will expire in 1 day."
    		mail -s "User Password is about to expire." $NOTIFICATION  <<-END
    			The password for user ${USER} will expire in 1 day.
    		END
    		mail -s "Your password is about to expire." $USER  <<-END
    			Your password will expire in 1 day. It is critical you change
    			it today.
    			
    			To change your password please go to ${CHANGEURL}
    			
    			--
    			IT Support
    		END
     	logger -p cron.info -t PASSWORD_EXPIRE - $USER was notified. $DIF days remain.
    
    
      elif [[ $DIF -ge $EXWARNVAL ]]; then
    	WARN=1
    	WARNIT=0
    	echo -n " WARNING user password will expire in $DIF days."
    		mail -s "Your password is about to expire." $USER  <<-END
    			Your password will expire in ${DIF} days. If you do not change it soon
    			you will not be able to login. It would be a good idea to change it now.
    			
    			To change your password please go to ${CHANGEURL}
    			
    			--
    			IT Support
    		END
     	logger -p cron.info -t PASSWORD_EXPIRE - $USER was notified. $DIF days remain.
    
      else
    	WARN=0	
    	WARNIT=0	
      fi
    
    
      # Feedback
      if [[ $WARN = 1 ]]; then
    	echo -n " ..user notified"
      fi
    
      if [[ $WARNIT = 1 ]]; then
    	echo -n " ..IT notified"
      fi
    
      echo " - done processing."
    
    # End loop and done.
    done
    
    logger -p cron.info -t PASSWORD_EXPIRE - finished.
    exit 0
    It's a little diffrent than the one we use internally and I haven't tested this version but it is pretty close. Let me know if it works for you.
    Last edited by k1e0x; 11-13-2008 at 02:12 PM.

  4. #4
    Join Date
    Sep 2009
    Posts
    2
    Rep Power
    6

    Exclamation password expiry notification

    @ k1eOx
    Thanks for the script!
    One could also pull the zimbraPasswordMaxAge on a per user base if the default has been changed individualy:
    Code:
    EXPIREVAL=`zmprov ga $USER zimbraPasswordMaxAge | sed 's/[^0-9]//g'| sed -n '/[0-9]/p'`
    EXCRITVAL=$(($EXPIREVAL - $CRITWARNAT ))
    EXWARNVAL=$(($EXPIREVAL - $WARNAT ))
    Place this in the main loop just below the CHANGEDATE expression.
    And dont forget to comment the resp. expressions above ;-)


    @k1e0x: There is one small error in your script.
    $DIF this is how many days passed since last password change,
    DIF=$(($DAYCHANGE - $DAYCUR))
    .
    You can't use this value to report the remaining days.
    If you report the remaining days use a new variable
    Code:
     REM=$(($EXPIREVAL - $DIF))
    and replace $DIF in the elif branches, so it looks like this:
    Code:
      elif [[ $DIF -ge $EXCRITVAL ]]; then
        WARN=1
        WARNIT=1
        echo -n " ZIMBRA WARNING $USER email password will expire in 1 day."
                    mail -s "User Password is about to expire." $NOTIFICATION  <<-END
                        The password for user ${USER} will expire in 1 day.
                    END
                    mail -s "Your password is about to expire." $USER  <<-END
                            Dear ${USER},
                            your password will expire in 1 day. It is critical you change
                            it TODAY.
    
                            To change your password please go to ${CHANGEURL},
                            select Preferences 
                            and change your password in the Login Options section
                            --
                            IT Support 
                    END
        logger -p cron.info -t PASSWORD_EXPIRE - $USER was notified. $REM days remain.
    
      elif [[ $DIF -ge $EXWARNVAL ]]; then
        WARN=1
        WARNIT=0
        echo -n " WARNING user password will expire in $REM days."
                mail -s "Your password is about to expire." $USER  <<-END
                    Dear ${USER},
                    your password will expire in ${REM} days. If you do not change it soon
                    you will not be able to login. It would be a good idea to change it now.
    
                    To change your password please go to ${CHANGEURL}
                    Select Preferences 
                    and change your password in the Login Options section
                    
                    --
                    IT Support 
                END
        logger -p cron.info -t PASSWORD_EXPIRE - $USER was notified. $REM days remain.
    
      else
        WARN=0
        WARNIT=0
      fi
    Last edited by PeJH607; 09-28-2009 at 06:12 AM.

  5. #5
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    350
    Rep Power
    8

    Default

    i would add this change:

    Code:
      DAYCUR=$((`date -d $CURDATE +&#37;s` / 86400 ))
      DAYCHANGE=$((`date -d $CHANGEDATE +%s` / 86400 ))
      DIF=$(($DAYCUR - $DAYCHANGE))

Similar Threads

  1. [SOLVED] Samba password sync
    By lpizzina in forum Administrators
    Replies: 6
    Last Post: 07-11-2010, 08:08 PM
  2. New User/Must Change Password oddity...
    By ssatre in forum Administrators
    Replies: 5
    Last Post: 07-25-2009, 11:19 PM
  3. OS 4.5.6 upgrade to 5.0.2 mta password error
    By newmember in forum Installation
    Replies: 14
    Last Post: 03-24-2008, 12:50 AM
  4. zmperditionctl start asking for password
    By k7sle in forum Administrators
    Replies: 32
    Last Post: 02-20-2008, 10:13 AM
  5. FC4 Test install getting SU: Incorrect Password
    By bbepristis in forum Installation
    Replies: 16
    Last Post: 08-11-2006, 10:07 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •