El 20/10/20 a las 17:13, Jesús Roque Travieso escribió:
Yo tengo algo parecido pero uso active directory y el script es en perl Enviado desde mi smartphone Samsung Galaxy. -------- Mensaje original -------- De: adr...@sc.mfp.gob.cu Fecha: 16/10/20 09:00 (GMT-05:00) A: gutl-l@listas.jovenclub.cu Asunto: [Gutl-l] notificacion espiracion user passwdHola listeros estoy tratando de hacer funcionar este scrip pero tengo un problema con esta parte#MY_LDAP_DEFAULTPWDPOLICYDN="ou=defaultPasswordPolicy,dc=example,dc=com"defaultPasswordPolicy, donde encuentro esto e buscado tos los dn en samba y no encuetro nada e usado estas lineas[root@self ~]# ldapsearch -H ldap://192.168.20.5:389 -LLL x -D "SC\administrator" -W -b "DC=sc,DC=mfp,DC=gob,DC=cu" "(&(objectclass=user))" o si alguien tien algun script que me notifique el usuario esta al expirar me lo hace llegar, esta es la ejecucion del scriptOct 16 12:46:58 self checkLdapPwdExpiration.sh[12706]: No password change date for denia3403 Oct 16 12:46:58 self checkLdapPwdExpiration.sh[12706]: No password change date for dayana Oct 16 12:46:58 self checkLdapPwdExpiration.sh[12706]: No password change date for maryleyvisOct 16 12:46:58 self checkLdapPwdExpiration.sh[12706]: --- Statistics --- Oct 16 12:46:58 self checkLdapPwdExpiration.sh[12706]: Users checked: 137 Oct 16 12:46:58 self checkLdapPwdExpiration.sh[12706]: Account expired: 0Oct 16 12:46:58 self checkLdapPwdExpiration.sh[12706]: Account in warning: 0[root@self ~]#encuentra los user e modificado unos cuantos user mediante al samba para que expiren en dos dias hata mas pero no me da respuesta de ello porque me falta encontrar lo antes plantiado #MY_LDAP_DEFAULTPWDPOLICYDN="ou=defaultPasswordPolicy,dc=example,dc=com"agradeceria cualquier alluda con esto gracias. a continuacion el script. #!/bin/sh # # LDAP host URI # eg: ldap://localhost:389 # MY_LDAP_HOSTURI="ldap://192.168.20.5:389"; # # LDAP root DN (optional) # eg: cn=Manager,dc=example,dc=com # MY_LDAP_ROOTDN="CN=Administrator,CN=Users,DC=sc,DC=mfp,DC=gob,DC=cu" # # LDAP root password (optional) # MY_LDAP_ROOTPW="P@ssw0rd" # # LDAP default password policy DN # eg: ou=defaultPasswordPolicy,dc=example,dc=com# If commented, we suppose there are no default, and only per-user policies# #MY_LDAP_DEFAULTPWDPOLICYDN="ou=defaultPasswordPolicy,dc=example,dc=com" # # LDAP search base for users # eg: ou=People,dc=example,dc=com # MY_LDAP_SEARCHBASE="OU=DPFP,DC=sc,DC=mfp,DC=gob,DC=cu" # # LDAP search filter to use to get all users # MY_LDAP_SEARCHFILTER="(&(uid=*)(objectClass=inetOrgPerson))" # # LDAP search scope to use to get all users # MY_LDAP_SEARCHSCOPE="one" # # Path to LDAP search binary # MY_LDAP_SEARCHBIN="/usr/local/openldap/bin/ldapsearch" # # Delay to begin sending adverts # Comment to use the pwdExpireWarning value of the user's Password Policy # #MY_MAIL_DELAY=1296000 # # LDAP attributes storing user's information # NAME: Display name of the user # LOGIN: Account ID of the user # MAIL: Email of the user # MY_LDAP_NAME_ATTR=cn MY_LDAP_LOGIN_ATTR=uid MY_LDAP_MAIL_ATTR=mail # # Locale for date # eg: export LC_ALL=en_US.UTF-8 # export LC_ALL=en_US.UTF-8 # # Mail body message, with particular variables : # %name : user name # %login : user login # MY_MAIL_BODY="From: %lo...@sc.mfp.gob.cu\n\n \ Hi %name,\n\n \Please change your password. It will expire in %expireDays days on %expireTimeTZ.\n\n \As a reminder, the password policy is :\n\n \ - Minimum Password Length : %pwdMinLength characters\n\n \- There is a password history, your new password must be different from you last %pwdInHistory passwords.\n\n \The LDAP team." # # Mail subject # MY_MAIL_SUBJECT="Your account will expire soon" # # Mail command binary # Replace mailx by mail for RedHat # MY_MAIL_BIN="mail" # # Log header format # Could include unix commands # MY_LOG_HEADER="`date +\"%b %e %T\"` `hostname` $0[$$]:" # # Path to GAWK (GNU awk) binary # MY_GAWK_BIN="/usr/bin/gawk" #==================================================================== # Functions #==================================================================== # # Retrieves date in seconds. # This function could take one parameter, a time returned by the command # `date +"%Y %m %d %H %M %S"`. Without parameter, it returns GMT time. # getTimeInSeconds() { date=0 os=`uname -s` if [ "$1" ]; then date=`${MY_GAWK_BIN} 'BEGIN { \ if (ARGC == 2) { \ print mktime(ARGV[1]) \ } \ exit 0 }' "$1"` else if [ "${os}" = "SunOS" ]; then # Under Sun Solaris, there is no simple way to # retrieve epoch time. # TODO: manage zulu time (GMT)date=`/usr/bin/truss /usr/bin/date 2>&1 | nawk -F= \'/^time\(\)/ {gsub(/ /,"",$2);print $2}'` else now=`date +"%Y %m %d %H %M %S" -u` date=`getTimeInSeconds "$now"` fi fi echo ${date} } #==================================================================== # Script #==================================================================== ## Variables initialization tmp_dir="/tmp/$$.checkldap.tmp" result_file="${tmp_dir}/res.tmp.1" buffer_file="${tmp_dir}/buf.tmp.1" ldap_param="-LLL -H ${MY_LDAP_HOSTURI} -x" nb_users=0 nb_expired_users=0 nb_warning_users=0 ## Some tests if [ -d ${tmp_dir} ]; then echo "Error : temporary directory exists (${tmp_dir})" exit 1 fi mkdir ${tmp_dir} if [ ${MY_LDAP_ROOTDN} ]; thenldap_param="${ldap_param} -D ${MY_LDAP_ROOTDN} -w ${MY_LDAP_ROOTPW}"fi ## Performs global search ${MY_LDAP_SEARCHBIN} ${ldap_param} -s ${MY_LDAP_SEARCHSCOPE} \ -b "${MY_LDAP_SEARCHBASE}" "${MY_LDAP_SEARCHFILTER}" \ "dn" > ${result_file} ## Loops on results while read dnStr do # Do not use blank lines if [ ! "${dnStr}" ]; then continue fi # Process ldap search dn=`echo ${dnStr} | cut -d : -f 2` # Increment users counter nb_users=`expr ${nb_users} + 1` ${MY_LDAP_SEARCHBIN} ${ldap_param} -s base -b "${dn}" \${MY_LDAP_NAME_ATTR} ${MY_LDAP_LOGIN_ATTR} ${MY_LDAP_MAIL_ATTR} pwdChangedTime pwdPolicySubentry \> ${buffer_file}login=`grep -w "${MY_LDAP_LOGIN_ATTR}:" ${buffer_file} | cut -d : -f 2 \| sed "s/^ *//;s/ *$//"`name=`grep -w "${MY_LDAP_NAME_ATTR}:" ${buffer_file} | cut -d : -f 2\| sed "s/^ *//;s/ *$//"`mail=`grep -w "${MY_LDAP_MAIL_ATTR}:" ${buffer_file} | cut -d : -f 2 \| sed "s/^ *//;s/ *$//"` pwdChangedTime=`grep -w "pwdChangedTime:" ${buffer_file} \ | cut -d : -f 2 | cut -c 1-15 | sed "s/^ *//;s/ *$//"` pwdPolicySubentry=`grep -w "pwdPolicySubentry:" ${buffer_file} \ | cut -d : -f 2 | sed "s/^ *//;s/ *$//"` # Go to next entry if no pwdChangedTime if [ ! "${pwdChangedTime}" ]; thenecho "${MY_LOG_HEADER} No password change date for ${login}" >&2continue fi # Go to next entry if no pwdPolicySubEntry and no default policyif [ ! "${pwdPolicySubentry}" -a ! "${MY_LDAP_DEFAULTPWDPOLICYDN}" ]; then echo "${MY_LOG_HEADER} No password policy for ${login}" >&2continue fi # Retrieves user policy pwdMaxAge and pwdExpireWarning attributes ldap_search="${MY_LDAP_SEARCHBIN} ${ldap_param} -s base" if [ "${pwdPolicySubentry}" ]; then ldap_search="${ldap_search} -b ${pwdPolicySubentry}" elseldap_search="${ldap_search} -b ${MY_LDAP_DEFAULTPWDPOLICYDN}"fildap_search="$ldap_search pwdMaxAge pwdExpireWarning pwdMinLength pwdInHistory"pwdMaxAge=`${ldap_search} | grep -w "pwdMaxAge:" | cut -d : -f 2 \ | sed "s/^ *//;s/ *$//"`pwdExpireWarning=`${ldap_search} | grep -w "pwdExpireWarning:" | cut -d : -f 2 \| sed "s/^ *//;s/ *$//"`pwdMinLength=`${ldap_search} | grep -w "pwdMinLength:" | cut -d : -f 2 \| sed "s/^ *//;s/ *$//"`pwdInHistory=`${ldap_search} | grep -w "pwdInHistory:" | cut -d : -f 2 \| sed "s/^ *//;s/ *$//"` # Go to next user if no pwdMaxAge (no expiration) if [ ! "${pwdMaxAge}" ]; thenecho "${MY_LOG_HEADER} No password expiration configured for ${login}" >&2continue fi # Replace MAIL_DELAY by pwdExpireWarning if exists MY_MAIL_DELAY=${MY_MAIL_DELAY:=$pwdExpireWarning} # Retrieves time difference between today and last change. if [ "${pwdChangedTime}" ]; then s=`echo ${pwdChangedTime} | cut -c 13-14` m=`echo ${pwdChangedTime} | cut -c 11-12` h=`echo ${pwdChangedTime} | cut -c 9-10` d=`echo ${pwdChangedTime} | cut -c 7-8` M=`echo ${pwdChangedTime} | cut -c 5-6` y=`echo ${pwdChangedTime} | cut -c 1-4` currentTime=`getTimeInSeconds` pwdChangedTime=`getTimeInSeconds "$y $M $d $h $m $s"` diffTime=`expr ${currentTime} - ${pwdChangedTime}` fi # Go to next user if password already expired expireTime=`expr ${pwdChangedTime} + ${pwdMaxAge}` if [ ${currentTime} -gt ${expireTime} ]; then nb_expired_users=`expr ${nb_expired_users} + 1` echo "${MY_LOG_HEADER} Password expired for ${login}" >&2 continue fi expireTimeTZ=`date -d @$expireTime "+%A %d %B %Y %T"` expireTimeMail=`date -d @$expireTime "+%s"` now=`date +%s` expireDays=`echo $(( (${expireTimeMail} - ${now} )/(60*60*24) ))` # ALL LDAP attributes should be there, else continue to next user if [ "${mail}" -a "${name}" \ -a "${login}" -a "${diffTime}" -a "${pwdMaxAge}" ] then # Ajusts time with delay diffTime=`expr ${diffTime} + ${MY_MAIL_DELAY}` if [ ${diffTime} -gt ${pwdMaxAge} ]; then logmsg="${MY_MAIL_BODY}" logmsg=`echo ${logmsg} | sed "s/%name/${name}/; \s/%login/${login}/; s/%expireTimeTZ/${expireTimeTZ}/; s/%pwdMinLength/${pwdMinLength}/; s/%pwdInHistory/${pwdInHistory}/; \s/%expireDays/${expireDays}/"` # Sending mail...echo "${logmsg}" | ${MY_MAIL_BIN} -s "${MY_MAIL_SUBJECT}" ${mail} >&2# Print debug information on STDERRecho "${MY_LOG_HEADER} Mail sent to user ${login} (${mail})" >&2# Increment warning counter nb_warning_users=`expr ${nb_warning_users} + 1` fi fi done < ${result_file} # Print statistics on STDOUT echo "${MY_LOG_HEADER} --- Statistics ---" echo "${MY_LOG_HEADER} Users checked: ${nb_users}" echo "${MY_LOG_HEADER} Account expired: ${nb_expired_users}" echo "${MY_LOG_HEADER} Account in warning: ${nb_warning_users}" # Delete temporary files rm -rf ${tmp_dir} # Exit exit 0 _______________________________________________ Gutl-l mailing list -- gutl-l@listas.jovenclub.cu To unsubscribe send an email to gutl-l-le...@listas.jovenclub.cu _______________________________________________ Gutl-l mailing list -- gutl-l@listas.jovenclub.cu To unsubscribe send an email to gutl-l-le...@listas.jovenclub.cu
y cual es ese script en perl. para ver si se puede adaptar para correr en linux, al final samba4 se comporta igual que un AD, y tiene sus mismos esquemas.
-- Arian Molina Aguilera Administrador de Redes y Servicios Telemáticos Linux Usuario Registrado #392892 Telfs: +53(7)696-7510 ext 236 jabber: linuxc...@teknik.io Brascuba Cigarrillos S.A. La Habana. Cuba. “Nunca consideres el estudio como una obligación, sino como una oportunidad para penetrar en el bello y maravilloso mundo del saber. Albert Einstein”
OpenPGP_0xF6CE9F7D1D5AF464.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Gutl-l mailing list -- gutl-l@listas.jovenclub.cu To unsubscribe send an email to gutl-l-le...@listas.jovenclub.cu
