Tool

(View Disclaimer)

We just love using eDirectory as our primary source for user authentication and authorization. Universal password enabled us to use same username and passwords for file access with or without Novell Client, FTP, SSH, Wireless access, custom LDAP enabled applications...
And Universal password policy enables us to keep passwords compliant with our security policy (ISO/IEC 27001 certified): enforce password length, enforce usage of complicated passwords and prevent users to use their (or company) personal data in a password (just put data in eDirectory and then specify “no-no” attributes, but make sure you are using latest Novell Security services, iManager snap-in and your schema is extended).

Finally, we force users to change passwords every 40 days.

A really neat feature of the Universal password policy is a possibility to display administrator messages to a user during password change and for a user to check password requirements before making a frustrated call to HelpDesk 'I just can't change my password anymore!'.

Unfortunately, notifying users about password expiration works just for users doing login with a Novell Client and for administrator message or password requirements, Novell NMAS has to be enabled too.

This was producing a lot of HelpDesk calls, since SAMBA or LDAP users, for example, were not warned to change their passwords and their account would end up locked after they used all grace logins. To overcome this, I've created simple bash script to do LDAP search for a passwords that will expire in a few days and then send an eMail to users to warn them about it.

First, in order to be able to do a LDAP search you need a user authorized to read desired eDirectory attributes.

To make it simple, create an additional user ldapproxy with a password "secret" and assign him eDirectory rights for desired OU: entry browse, inherit and all attributes read, compare, inherit. To make it secure, reduce rights only to needed attributes...

Now copy the following bash script to your Linux box. For example to: /root/scripts folder:

#!/bin/bash

########################################################
#   dtEmailExpiredPass.sh - eMail notification about  #
#                          expired eDirectory password #
########################################################
#
#    FILE: dtEmailExpiredPass.sh
# VERSION: 0.1
#    DATE: 12-25-2007
#
#  AUTHOR: Denis Tomasevic
#          Slovenia
#
########################################################

#############################
#  Variables
#############################
# variables for eMail setup
export smtp="X.X.X.X"
export from="helpdesk@mycompany.si"
bcc="helpdesk@mycompany.si"

# variables for LDAP search
ldapHost="localhost"
ldapContext="ou=users,o=company"
ldapUser="cn=ldapproxy,o=company"
ldapPassw="secret"
checkTime="4 days"

# tmp files
tmpMsg=/tmp/passwordsToExpireMsg
tmpLdapResult=/tmp/passwordsToExpire

# calculate a time in a future 
# now+checkTime and transform it to LDAP format
notifyExpirationTime=`date -d"$checkTime" +%Y%m%d000000Z`

# search in LDAP for expired passwords,
# ignore users disabled by administrator
# store results in file tmpLdapResult
ldapsearch -x -Z -b $ldapContext -h $ldapHost \
           -D $ldapUser -w $ldapPassw -LLL \
           "(&(passwordExpirationTime<=$notifyExpirationTime)\
	      (!(loginDisabled=TRUE)))" \
           loginGraceRemaining mail passwordExpirationTime \
           >$tmpLdapResult

# for every user with expired password and eMail attribute
for user in `fgrep mail: $tmpLdapResult | cut -f2 -d:`; do 
   # prepare notification message for a user
   echo Your password will expire:>$tmpMsg;
   # add some LDAP attributes to a message in their native format
   fgrep -B1 -A2 $user $tmpLdapResult>>$tmpMsg;
   echo>>$tmpMsg;
   echo Please, change your password.>>$tmpMsg;
   echo>>$tmpMsg;
   echo Your password has to be compliant with password policy:>>$tmpMsg
   echo    Add your own password policy instructions here...>>$tmpMsg
   echo>>$tmpMsg
   echo Your support team>>$tmpMsg;
   # send prepared message to user and a copy to a help desk
   cat $tmpMsg | /usr/bin/nail -b $bcc \
       -s "eDirectory password notification" $user; 
done

#clean out temp files and finish
rm $tmpLdapResult
rm $tmpMsg
exit 0

Finally, use crontab -e to schedule execution of this script, for example from Monday to Friday at 9:00:
0 9 * * 1-5 /root/scripts/dtEmailExpiredPass.sh>/dev/null

Using the script above, user will receive following eMail message:

Subject: eDirectory password notification
From: helpdesk@mycompany.si
Your password will expire:
dn: cn=denis,ou=users,o=mycompany
mail: denis.tomasevic@mycompany.si
passwordExpirationTime: 20071230220000Z
loginGraceRemaining: 10

Please, change your password.

Your password has to be compliant with password policy:
Add your own password policy instructions here...

Your support team

If your users do not login every day, you could use a different LDAP filter:

"(&(loginGraceRemaining<=5)(!(loginDisabled=TRUE)))"

To use this, you should setup users Grace Login attribute to a value greater than 6 (for ex. to 10), so user will be notified only if he did not change his password on time.

Now, you can play on your own, change the notification message, transform eDirectory attributes to a more readable format…

Enjoy!
Denis Tomašević

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.