FreeIPA Password Expiry Notification Script for Red Hat Identity Management

Hey there friends,

I’ve got a quick’n’sloppy bash shell script that’s fairly useful, if you’re using a FreeIPA identity management domain on CentOS/RHEL/Scientific Linux and want to notify people via email of when their password is going to expire.

The script assumes it’s being run on an IDM server system with access to the following command line applications:

– kinit (with a keytab setup)
– ldapsearch
– ipa
– mailx
– rm

Here’s the script:


#!/bin/bash

# notifies people a set number of days before expiry, once via email

# open a kerberos ticket using keytab authentication
# the following keytab file was made using ktutil with rc4-hmac

/usr/bin/kinit admin@YOURDOMAIN.COM -k -t /sextoys/admin.keytab

# how many days before expiry? at which point a single email should be sent out

cd /tmp
THENUMBEROFDAYS=2

#queries the ldap server for whatever group you want, or search parameters you want to use
# grepping memberUid for the group you want and piping to awk results in a list of users
USERLIST=$(ldapsearch -x -b cn=sextoyboys,cn=groups,cn=compat,dc=yourdomain,dc=com | grep memberUid | awk '{print $2}')

# start the main loop
for USER in $USERLIST;
do
# gets todays date in the same format as ipa
TODAYSDATE=$(date +"%Y%m%d")
echo "Checking Expiry For $USER"

# gets date, removes time uses cut to get only first 8 characters of date
EXPIRYDATE=$(ipa user-show $USER --all | grep krbpasswordexpiration | awk '{print $2}' | cut -c 1-8)

# using date command to convert to a proper date format for the subtraction of days left
CALCEXPIRY=$(date -d "$EXPIRYDATE" +%j)
CALCTODAY=$(date -d "$TODAYSDATE" +%j)
DAYSLEFT=$(expr $CALCEXPIRY - $CALCTODAY)

echo "$USER has $DAYSLEFT left"

# send out an email if it matches the specified number of days left
if [ $DAYSLEFT = $THENUMBEROFDAYS ];
then

# create the email content
echo "HEY BUDDY, YOUR PASSWORD IS GOING TO EXPIRE" >> $USER.temp
echo " " >> $USER.temp
echo "MaxMouse" >> $USER.temp

# send the email out
mailx -s "Hey $USER This is a great subject line right" $USER@yourdomain.com < $USER.temp
# delete content file
rm -rf $USER.temp
fi

done

Please enjoy this. If not, it’s OK too!

Mm.,

7 Comments

Trent Melcher (February 5, 2015)

Thanks for the script, this will help out alot. One question I have is how did you create the keytab file (actual syntax)? Im having an issue using ktutil to generate the keytab for a specific user.

Thanks
Trent

maxmouse (March 3, 2015)

Here’s what I used to create the keytab file:


[root@vmhacks.com sextoys]# ktutil
ktutil: addent -password -p admin@YOURDOMAIN.COM -k 1 -e rc4-hmac
Password for admin@YOURDOMAIN.COM:
ktutil: wkt admin.keytab
ktutil: quit

Zantar (September 10, 2015)

The original scripts text didn’t account for password expiration crossing ‘end of year’ (or multiple years) and would return an erroneous value if the current date, and expiration date were not during the same year.

Here’s the enhancement I added to accommodate that situation…

perform_date_calc() {
# Reduce length of LDAP-formatted expiration date
EXPIRE_DATE=`echo $EXPIRE_DATE | cut -c1-8`

# Get ‘year’ of current date and date of expiration:
TODAYS_YEAR=`echo $TODAYS_DATE | cut -c1-4`
EXPIRE_YEAR=`echo $EXPIRE_DATE | cut -c1-4`

# Obtain ‘day of current year’ value from dates:
CALC_TODAY=$(date -d “$TODAYS_DATE” +%j)
CALC_EXPIRY=$(date -d “$EXPIRE_DATE” +%j)

# Adjust for any year difference:
if [[ $EXPIRE_YEAR -gt $TODAYS_YEAR ]] ; then
YEARS_AHEAD=$(expr $EXPIRE_YEAR – $TODAYS_YEAR)
DAYS_AHEAD=$(($YEARS_AHEAD * 365))
CALC_EXPIRY=$(expr $CALC_EXPIRY + $DAYS_AHEAD)
fi

# Calculate difference between today and expiration:
DAYS_LEFT=$(($CALC_EXPIRY – $CALC_TODAY))

if [[ $DAYS_LEFT -eq 1 ]] ; then
DAY_TEXT=”day”
else
DAY_TEXT=”days”
fi

echo “$DAYS_LEFT $DAY_TEXT left”
}

Kahlil Talledo (October 7, 2015)

I’m getting this error:
kinit: Cannot find KDC for realm “directory.xxxxxxxxx.net” while getting initial credentials.

Any ideas?

Chris Halbersma (November 3, 2015)

Thanks for this it’s added a lot to our IDM. You might also want to throw in on of these:

# Is this user diabled?
hum_this_user_disabled=$(ipa user-show $user –all | grep disabled | cut -f 2 -d : | xargs)

if [[ $hum_this_user_disabled == “True” ]] ; then
# Account Disabled
echo -e “MESSAGE : User $user ‘s account is diabled. Skipping…”
else
continue with script…

Brad Van Orden (July 22, 2016)

Far easier to just cast your dates to seconds, then subtract:

CALCEXPIRY=$(date -d “$EXPIRYDATE” +%s)
CALCTODAY=$(date -d “$TODAYSDATE” +%s)
DAYSLEFT=$(((${CALCEXPIRY} – ${CALCTODAY}) / 86400))

Brian (January 25, 2017)

not bad, it seems to work

Comments are closed.