FreeIPA Password Expiry Notification Script for Red Hat Identity Management

Hey there friends,

I’ve got a quick’n’sloppy bash shell script that’s fairly useful, if you’re using a FreeIPA identity management domain on CentOS/RHEL/Scientific Linux and want to notify people via email of when their password is going to expire.

The script assumes it’s being run on an IDM server system with access to the following command line applications:

– kinit (with a keytab setup)
– ldapsearch
– ipa
– mailx
– rm

Here’s the script:


#!/bin/bash

# notifies people a set number of days before expiry, once via email

# open a kerberos ticket using keytab authentication
# the following keytab file was made using ktutil with rc4-hmac

/usr/bin/kinit admin@YOURDOMAIN.COM -k -t /sextoys/admin.keytab

# how many days before expiry? at which point a single email should be sent out

cd /tmp
THENUMBEROFDAYS=2

#queries the ldap server for whatever group you want, or search parameters you want to use
# grepping memberUid for the group you want and piping to awk results in a list of users
USERLIST=$(ldapsearch -x -b cn=sextoyboys,cn=groups,cn=compat,dc=yourdomain,dc=com | grep memberUid | awk '{print $2}')

# start the main loop
for USER in $USERLIST;
do
# gets todays date in the same format as ipa
TODAYSDATE=$(date +"%Y%m%d")
echo "Checking Expiry For $USER"

# gets date, removes time uses cut to get only first 8 characters of date
EXPIRYDATE=$(ipa user-show $USER --all | grep krbpasswordexpiration | awk '{print $2}' | cut -c 1-8)

# using date command to convert to a proper date format for the subtraction of days left
CALCEXPIRY=$(date -d "$EXPIRYDATE" +%j)
CALCTODAY=$(date -d "$TODAYSDATE" +%j)
DAYSLEFT=$(expr $CALCEXPIRY - $CALCTODAY)

echo "$USER has $DAYSLEFT left"

# send out an email if it matches the specified number of days left
if [ $DAYSLEFT = $THENUMBEROFDAYS ];
then

# create the email content
echo "HEY BUDDY, YOUR PASSWORD IS GOING TO EXPIRE" >> $USER.temp
echo " " >> $USER.temp
echo "MaxMouse" >> $USER.temp

# send the email out
mailx -s "Hey $USER This is a great subject line right" $USER@yourdomain.com < $USER.temp
# delete content file
rm -rf $USER.temp
fi

done

Please enjoy this. If not, it’s OK too!

Mm.,

7 comments

  1. Thanks for the script, this will help out alot. One question I have is how did you create the keytab file (actual syntax)? Im having an issue using ktutil to generate the keytab for a specific user.

    Thanks
    Trent

    1. Here’s what I used to create the keytab file:


      [root@vmhacks.com sextoys]# ktutil
      ktutil: addent -password -p admin@YOURDOMAIN.COM -k 1 -e rc4-hmac
      Password for admin@YOURDOMAIN.COM:
      ktutil: wkt admin.keytab
      ktutil: quit

  2. The original scripts text didn’t account for password expiration crossing ‘end of year’ (or multiple years) and would return an erroneous value if the current date, and expiration date were not during the same year.

    Here’s the enhancement I added to accommodate that situation…

    perform_date_calc() {
    # Reduce length of LDAP-formatted expiration date
    EXPIRE_DATE=`echo $EXPIRE_DATE | cut -c1-8`

    # Get ‘year’ of current date and date of expiration:
    TODAYS_YEAR=`echo $TODAYS_DATE | cut -c1-4`
    EXPIRE_YEAR=`echo $EXPIRE_DATE | cut -c1-4`

    # Obtain ‘day of current year’ value from dates:
    CALC_TODAY=$(date -d “$TODAYS_DATE” +%j)
    CALC_EXPIRY=$(date -d “$EXPIRE_DATE” +%j)

    # Adjust for any year difference:
    if [[ $EXPIRE_YEAR -gt $TODAYS_YEAR ]] ; then
    YEARS_AHEAD=$(expr $EXPIRE_YEAR – $TODAYS_YEAR)
    DAYS_AHEAD=$(($YEARS_AHEAD * 365))
    CALC_EXPIRY=$(expr $CALC_EXPIRY + $DAYS_AHEAD)
    fi

    # Calculate difference between today and expiration:
    DAYS_LEFT=$(($CALC_EXPIRY – $CALC_TODAY))

    if [[ $DAYS_LEFT -eq 1 ]] ; then
    DAY_TEXT=”day”
    else
    DAY_TEXT=”days”
    fi

    echo “$DAYS_LEFT $DAY_TEXT left”
    }

  3. I’m getting this error:
    kinit: Cannot find KDC for realm “directory.xxxxxxxxx.net” while getting initial credentials.

    Any ideas?

  4. Thanks for this it’s added a lot to our IDM. You might also want to throw in on of these:

    # Is this user diabled?
    hum_this_user_disabled=$(ipa user-show $user –all | grep disabled | cut -f 2 -d : | xargs)

    if [[ $hum_this_user_disabled == “True” ]] ; then
    # Account Disabled
    echo -e “MESSAGE : User $user ‘s account is diabled. Skipping…”
    else
    continue with script…

  5. Far easier to just cast your dates to seconds, then subtract:

    CALCEXPIRY=$(date -d “$EXPIRYDATE” +%s)
    CALCTODAY=$(date -d “$TODAYSDATE” +%s)
    DAYSLEFT=$(((${CALCEXPIRY} – ${CALCTODAY}) / 86400))

Comments are closed.