Yo tengo algo parecido pero uso active directory y el script es en perl
Enviado desde mi smartphone Samsung Galaxy.
-------- Mensaje original --------
De: adr...@sc.mfp.gob.cu
Fecha: 16/10/20 09:00 (GMT-05:00)
A: gutl-l@listas.jovenclub.cu
Asunto: [Gutl-l] notificacion espiracion user passwd
Hola listeros estoy tratando de hacer funcionar este scrip pero tengo
un problema con esta parte
#MY_LDAP_DEFAULTPWDPOLICYDN="ou=defaultPasswordPolicy,dc=example,dc=com"
defaultPasswordPolicy, donde encuentro esto e buscado tos los dn en
samba y no encuetro nada e usado estas lineas
[root@self ~]# ldapsearch -H ldap://192.168.20.5:389 -LLL x -D
"SC\administrator" -W -b "DC=sc,DC=mfp,DC=gob,DC=cu"
"(&(objectclass=user))"
o si alguien tien algun script que me notifique el usuario esta al
expirar me lo hace llegar, esta es la ejecucion del script
Oct 16 12:46:58 self checkLdapPwdExpiration.sh[12706]: No password
change date for denia3403
Oct 16 12:46:58 self checkLdapPwdExpiration.sh[12706]: No password
change date for dayana
Oct 16 12:46:58 self checkLdapPwdExpiration.sh[12706]: No password
change date for maryleyvis
Oct 16 12:46:58 self checkLdapPwdExpiration.sh[12706]: --- Statistics
---
Oct 16 12:46:58 self checkLdapPwdExpiration.sh[12706]: Users checked:
137
Oct 16 12:46:58 self checkLdapPwdExpiration.sh[12706]: Account
expired: 0
Oct 16 12:46:58 self checkLdapPwdExpiration.sh[12706]: Account in
warning: 0
[root@self ~]#
encuentra los user e modificado unos cuantos user mediante al samba
para que expiren en dos dias hata mas pero no me da respuesta de ello
porque me falta encontrar lo antes plantiado
#MY_LDAP_DEFAULTPWDPOLICYDN="ou=defaultPasswordPolicy,dc=example,dc=com"
agradeceria cualquier alluda con esto gracias.
a continuacion el script.
#!/bin/sh
#
# LDAP host URI
# eg: ldap://localhost:389
#
MY_LDAP_HOSTURI="ldap://192.168.20.5:389";
#
# LDAP root DN (optional)
# eg: cn=Manager,dc=example,dc=com
#
MY_LDAP_ROOTDN="CN=Administrator,CN=Users,DC=sc,DC=mfp,DC=gob,DC=cu"
#
# LDAP root password (optional)
#
MY_LDAP_ROOTPW="P@ssw0rd"
#
# LDAP default password policy DN
# eg: ou=defaultPasswordPolicy,dc=example,dc=com
# If commented, we suppose there are no default, and only per-user
policies
#
#MY_LDAP_DEFAULTPWDPOLICYDN="ou=defaultPasswordPolicy,dc=example,dc=com"
#
# LDAP search base for users
# eg: ou=People,dc=example,dc=com
#
MY_LDAP_SEARCHBASE="OU=DPFP,DC=sc,DC=mfp,DC=gob,DC=cu"
#
# LDAP search filter to use to get all users
#
MY_LDAP_SEARCHFILTER="(&(uid=*)(objectClass=inetOrgPerson))"
#
# LDAP search scope to use to get all users
#
MY_LDAP_SEARCHSCOPE="one"
#
# Path to LDAP search binary
#
MY_LDAP_SEARCHBIN="/usr/local/openldap/bin/ldapsearch"
#
# Delay to begin sending adverts
# Comment to use the pwdExpireWarning value of the user's Password
Policy
#
#MY_MAIL_DELAY=1296000
#
# LDAP attributes storing user's information
# NAME: Display name of the user
# LOGIN: Account ID of the user
# MAIL: Email of the user
#
MY_LDAP_NAME_ATTR=cn
MY_LDAP_LOGIN_ATTR=uid
MY_LDAP_MAIL_ATTR=mail
#
# Locale for date
# eg: export LC_ALL=en_US.UTF-8
#
export LC_ALL=en_US.UTF-8
#
# Mail body message, with particular variables :
# %name : user name
# %login : user login
#
MY_MAIL_BODY="From: %lo...@sc.mfp.gob.cu\n\n \
Hi %name,\n\n \
Please change your password. It will expire in %expireDays
days on %expireTimeTZ.\n\n \
As a reminder, the password policy is :\n\n \
- Minimum Password Length : %pwdMinLength characters\n\n \
- There is a password history, your new password must be
different from you last %pwdInHistory passwords.\n\n \
The LDAP team."
#
# Mail subject
#
MY_MAIL_SUBJECT="Your account will expire soon"
#
# Mail command binary
# Replace mailx by mail for RedHat
#
MY_MAIL_BIN="mail"
#
# Log header format
# Could include unix commands
#
MY_LOG_HEADER="`date +\"%b %e %T\"` `hostname` $0[$$]:"
#
# Path to GAWK (GNU awk) binary
#
MY_GAWK_BIN="/usr/bin/gawk"
#====================================================================
# Functions
#====================================================================
#
# Retrieves date in seconds.
# This function could take one parameter, a time returned by the command
# `date +"%Y %m %d %H %M %S"`. Without parameter, it returns GMT time.
#
getTimeInSeconds() {
date=0
os=`uname -s`
if [ "$1" ]; then
date=`${MY_GAWK_BIN} 'BEGIN { \
if (ARGC == 2) { \
print mktime(ARGV[1]) \
} \
exit 0 }' "$1"`
else
if [ "${os}" = "SunOS" ]; then
# Under Sun Solaris, there is no simple way to
# retrieve epoch time.
# TODO: manage zulu time (GMT)
date=`/usr/bin/truss /usr/bin/date 2>&1 |
nawk -F= \
'/^time\(\)/ {gsub(/ /,"",$2);print
$2}'`
else
now=`date +"%Y %m %d %H %M %S" -u`
date=`getTimeInSeconds "$now"`
fi
fi
echo ${date}
}
#====================================================================
# Script
#====================================================================
## Variables initialization
tmp_dir="/tmp/$$.checkldap.tmp"
result_file="${tmp_dir}/res.tmp.1"
buffer_file="${tmp_dir}/buf.tmp.1"
ldap_param="-LLL -H ${MY_LDAP_HOSTURI} -x"
nb_users=0
nb_expired_users=0
nb_warning_users=0
## Some tests
if [ -d ${tmp_dir} ]; then
echo "Error : temporary directory exists (${tmp_dir})"
exit 1
fi
mkdir ${tmp_dir}
if [ ${MY_LDAP_ROOTDN} ]; then
ldap_param="${ldap_param} -D ${MY_LDAP_ROOTDN} -w
${MY_LDAP_ROOTPW}"
fi
## Performs global search
${MY_LDAP_SEARCHBIN} ${ldap_param} -s ${MY_LDAP_SEARCHSCOPE} \
-b "${MY_LDAP_SEARCHBASE}" "${MY_LDAP_SEARCHFILTER}" \
"dn" > ${result_file}
## Loops on results
while read dnStr
do
# Do not use blank lines
if [ ! "${dnStr}" ]; then
continue
fi
# Process ldap search
dn=`echo ${dnStr} | cut -d : -f 2`
# Increment users counter
nb_users=`expr ${nb_users} + 1`
${MY_LDAP_SEARCHBIN} ${ldap_param} -s base -b "${dn}" \
${MY_LDAP_NAME_ATTR} ${MY_LDAP_LOGIN_ATTR}
${MY_LDAP_MAIL_ATTR} pwdChangedTime pwdPolicySubentry \
> ${buffer_file}
login=`grep -w "${MY_LDAP_LOGIN_ATTR}:" ${buffer_file} | cut
-d : -f 2 \
| sed "s/^ *//;s/ *$//"`
name=`grep -w "${MY_LDAP_NAME_ATTR}:" ${buffer_file} | cut -d
: -f 2\
| sed "s/^ *//;s/ *$//"`
mail=`grep -w "${MY_LDAP_MAIL_ATTR}:" ${buffer_file} | cut -d
: -f 2 \
| sed "s/^ *//;s/ *$//"`
pwdChangedTime=`grep -w "pwdChangedTime:" ${buffer_file} \
| cut -d : -f 2 | cut -c 1-15 | sed "s/^ *//;s/ *$//"`
pwdPolicySubentry=`grep -w "pwdPolicySubentry:" ${buffer_file} \
| cut -d : -f 2 | sed "s/^ *//;s/ *$//"`
# Go to next entry if no pwdChangedTime
if [ ! "${pwdChangedTime}" ]; then
echo "${MY_LOG_HEADER} No password change date for
${login}" >&2
continue
fi
# Go to next entry if no pwdPolicySubEntry and no default policy
if [ ! "${pwdPolicySubentry}" -a !
"${MY_LDAP_DEFAULTPWDPOLICYDN}" ]; then
echo "${MY_LOG_HEADER} No password policy for
${login}" >&2
continue
fi
# Retrieves user policy pwdMaxAge and pwdExpireWarning
attributes
ldap_search="${MY_LDAP_SEARCHBIN} ${ldap_param} -s base"
if [ "${pwdPolicySubentry}" ]; then
ldap_search="${ldap_search} -b ${pwdPolicySubentry}"
else
ldap_search="${ldap_search} -b
${MY_LDAP_DEFAULTPWDPOLICYDN}"
fi
ldap_search="$ldap_search pwdMaxAge pwdExpireWarning
pwdMinLength pwdInHistory"
pwdMaxAge=`${ldap_search} | grep -w "pwdMaxAge:" | cut -d :
-f 2 \
| sed "s/^ *//;s/ *$//"`
pwdExpireWarning=`${ldap_search} | grep -w
"pwdExpireWarning:" | cut -d : -f 2 \
| sed "s/^ *//;s/ *$//"`
pwdMinLength=`${ldap_search} | grep -w "pwdMinLength:" | cut
-d : -f 2 \
| sed "s/^ *//;s/ *$//"`
pwdInHistory=`${ldap_search} | grep -w "pwdInHistory:" | cut
-d : -f 2 \
| sed "s/^ *//;s/ *$//"`
# Go to next user if no pwdMaxAge (no expiration)
if [ ! "${pwdMaxAge}" ]; then
echo "${MY_LOG_HEADER} No password expiration
configured for ${login}" >&2
continue
fi
# Replace MAIL_DELAY by pwdExpireWarning if exists
MY_MAIL_DELAY=${MY_MAIL_DELAY:=$pwdExpireWarning}
# Retrieves time difference between today and last change.
if [ "${pwdChangedTime}" ]; then
s=`echo ${pwdChangedTime} | cut -c 13-14`
m=`echo ${pwdChangedTime} | cut -c 11-12`
h=`echo ${pwdChangedTime} | cut -c 9-10`
d=`echo ${pwdChangedTime} | cut -c 7-8`
M=`echo ${pwdChangedTime} | cut -c 5-6`
y=`echo ${pwdChangedTime} | cut -c 1-4`
currentTime=`getTimeInSeconds`
pwdChangedTime=`getTimeInSeconds "$y $M $d $h $m $s"`
diffTime=`expr ${currentTime} - ${pwdChangedTime}`
fi
# Go to next user if password already expired
expireTime=`expr ${pwdChangedTime} + ${pwdMaxAge}`
if [ ${currentTime} -gt ${expireTime} ]; then
nb_expired_users=`expr ${nb_expired_users} + 1`
echo "${MY_LOG_HEADER} Password expired for ${login}"
>&2
continue
fi
expireTimeTZ=`date -d @$expireTime "+%A %d %B %Y %T"`
expireTimeMail=`date -d @$expireTime "+%s"`
now=`date +%s`
expireDays=`echo $(( (${expireTimeMail} - ${now} )/(60*60*24)
))`
# ALL LDAP attributes should be there, else continue to next
user
if [ "${mail}" -a "${name}" \
-a "${login}" -a "${diffTime}" -a "${pwdMaxAge}" ]
then
# Ajusts time with delay
diffTime=`expr ${diffTime} + ${MY_MAIL_DELAY}`
if [ ${diffTime} -gt ${pwdMaxAge} ]; then
logmsg="${MY_MAIL_BODY}"
logmsg=`echo ${logmsg} | sed
"s/%name/${name}/; \
s/%login/${login}/;
s/%expireTimeTZ/${expireTimeTZ}/; s/%pwdMinLength/${pwdMinLength}/;
s/%pwdInHistory/${pwdInHistory}/; \
s/%expireDays/${expireDays}/"`
# Sending mail...
echo "${logmsg}" | ${MY_MAIL_BIN} -s
"${MY_MAIL_SUBJECT}" ${mail} >&2
# Print debug information on STDERR
echo "${MY_LOG_HEADER} Mail sent to user
${login} (${mail})" >&2
# Increment warning counter
nb_warning_users=`expr ${nb_warning_users} + 1`
fi
fi
done < ${result_file}
# Print statistics on STDOUT
echo "${MY_LOG_HEADER} --- Statistics ---"
echo "${MY_LOG_HEADER} Users checked: ${nb_users}"
echo "${MY_LOG_HEADER} Account expired: ${nb_expired_users}"
echo "${MY_LOG_HEADER} Account in warning: ${nb_warning_users}"
# Delete temporary files
rm -rf ${tmp_dir}
# Exit
exit 0
_______________________________________________
Gutl-l mailing list -- gutl-l@listas.jovenclub.cu
To unsubscribe send an email to gutl-l-le...@listas.jovenclub.cu
_______________________________________________
Gutl-l mailing list -- gutl-l@listas.jovenclub.cu
To unsubscribe send an email to gutl-l-le...@listas.jovenclub.cu
