Ldap/AD password expiration/renew

[glimpse79]

Zimbra well manage user auth in Ldap/AD but how to manage the expiration of password (suppose i set the expire in AD after 90days and i have a set of users that use only the mail with AD auth but never access the domain from a pc)? Is there a way, without a custom-ad-hoc script, to email the soon expiration of the password x days before? And a way to renew from zimbra interface?

Thanks in advice. L

[uxbod]

Unfortunately not You could vote for these though :-

Bug 6697 - Change Password on External Authentication
Bug 16271 - change password impacts external directory servers
Bug 26372 - Notify user that their password is going to expire via email or in the webmail UI

[k1e0x]

I have created a script that can you can use to notify users, you can add it to the zimbra cron (crontab -e as zimbra) to have it run daily.

I don't think it will work with an external LDAP but you could modify it with an ldap query to get the change date.

Code:

#!/bin/bash
## Script to check if a users password is expiring.
##
## Info:
## This script will start to warn the user when they have 5 days left, send a critical 
## warning to both the user and IT on one day left and, notify IT of users with expired 
## passwords. It logs to /var/log/cron.
##
## Usage:
## This should be run as a cron every day, it must run as the zimbra user.


### -- enter settings here -- ###

## E-mail address that gets IT notifications.
NOTIFICATION=admin@example.com

## The domain we run against.
DOMAIN=example.com

## Number of days for a warning.
WARNAT=5

## Number of days for a critical warning.
CRITWARNAT=1

## Enter address you do not want to test here. Pipe "|" separated
EXEMPTEDADDRESS="admin@example.com|wiki@example.com|whatever@example.com"

## Web address of the location a user can change their password.
CHANGEURL=https://zimbra.example.com


### -- end settings -- ###


echo ""
echo "Password Expire"
echo "============================================"
echo "LAUNCHED: `date`"
logger -p cron.info -t PASSWORD_EXPIRE script running.

# Pull the expire value from zimbra and set variables for warning / critical.
EXPIREVAL=`zmprov gc default zimbraPasswordMaxAge | sed 's/[^0-9]//g'| sed -n '/[0-9]/p'`
EXCRITVAL=$(($EXPIREVAL - $CRITWARNAT ))
EXWARNVAL=$(($EXPIREVAL - $WARNAT ))


# The big loop.
# Get accounts from Zimbra. (Skipping some internal accounts even though they wont cause problems)
for USER in `zmprov gaa $DOMAIN | egrep -v -e $EXEMPTEDADDRESS`; do


  # Feedback
  echo -n "Preforming test on... $USER"


  # Pull the users last password modified time from Zimbra.
  CHANGEDATE=`zmprov ga $USER zimbraPasswordModifiedTime | sed 's/[^0-9]//g'| sed -n '/[0-9]/p' | cut -c 1-8`


  # Deal with a condition where user has no password set.
  # This can be, because it was never set, or the users
  # password does not expire as exempted by admin.
  if [[ ${#CHANGEDATE} != 8 ]]; then
	echo " Oops! no password or expire not set for $USER - user skipped."
	logger -p cron.info -t PASSWORD_EXPIRE - No password or expire not set for $USER
	continue
  fi 


  # Set variables and get the date in a form we can preform 
  # mathematical expressions it.
  CURDATE=`date +%Y%m%d`
  DAYCUR=$((`date -d $CHANGEDATE +%s` / 86400 ))
  DAYCHANGE=$((`date -d $CURDATE +%s` / 86400 ))
  DIF=$(($DAYCHANGE - $DAYCUR))


  # This is the main part, it checks and sends mail upon
  # various conditions.
  if [[ $DIF -ge $EXPIREVAL ]]; then
	WARN=0
	WARNIT=1
	echo -n " WARNING $USER password has expired."
		mail -s "User Password has expired." $NOTIFICATION  <<-END
			The password for user ${USER} has expired by ${DIF} days.
		END
 	logger -p cron.info -t PASSWORD_EXPIRE - $USER password has expired.

  elif [[ $DIF -ge $EXCRITVAL ]]; then
	WARN=1
	WARNIT=1
	echo -n " WARNING $USER password will expire in 1 day."
		mail -s "User Password is about to expire." $NOTIFICATION  <<-END
			The password for user ${USER} will expire in 1 day.
		END
		mail -s "Your password is about to expire." $USER  <<-END
			Your password will expire in 1 day. It is critical you change
			it today.
			
			To change your password please go to ${CHANGEURL}
			
			--
			IT Support
		END
 	logger -p cron.info -t PASSWORD_EXPIRE - $USER was notified. $DIF days remain.


  elif [[ $DIF -ge $EXWARNVAL ]]; then
	WARN=1
	WARNIT=0
	echo -n " WARNING user password will expire in $DIF days."
		mail -s "Your password is about to expire." $USER  <<-END
			Your password will expire in ${DIF} days. If you do not change it soon
			you will not be able to login. It would be a good idea to change it now.
			
			To change your password please go to ${CHANGEURL}
			
			--
			IT Support
		END
 	logger -p cron.info -t PASSWORD_EXPIRE - $USER was notified. $DIF days remain.

  else
	WARN=0	
	WARNIT=0	
  fi


  # Feedback
  if [[ $WARN = 1 ]]; then
	echo -n " ..user notified"
  fi

  if [[ $WARNIT = 1 ]]; then
	echo -n " ..IT notified"
  fi

  echo " - done processing."

# End loop and done.
done

logger -p cron.info -t PASSWORD_EXPIRE - finished.
exit 0

It's a little diffrent than the one we use internally and I haven't tested this version but it is pretty close. Let me know if it works for you.

[PeJH607]

@ k1eOx
Thanks for the script!
One could also pull the zimbraPasswordMaxAge on a per user base if the default has been changed individualy:

Code:

EXPIREVAL=`zmprov ga $USER zimbraPasswordMaxAge | sed 's/[^0-9]//g'| sed -n '/[0-9]/p'`
EXCRITVAL=$(($EXPIREVAL - $CRITWARNAT ))
EXWARNVAL=$(($EXPIREVAL - $WARNAT ))

Place this in the main loop just below the CHANGEDATE expression.
And dont forget to comment the resp. expressions above ;-)


@k1e0x: There is one small error in your script.
$DIF this is how many days passed since last password change,

Quote:

DIF=$(($DAYCHANGE - $DAYCUR))

.
You can't use this value to report the remaining days.
If you report the remaining days use a new variable

Code:

 REM=$(($EXPIREVAL - $DIF))

and replace $DIF in the elif branches, so it looks like this:

Code:

  elif [[ $DIF -ge $EXCRITVAL ]]; then
    WARN=1
    WARNIT=1
    echo -n " ZIMBRA WARNING $USER email password will expire in 1 day."
                mail -s "User Password is about to expire." $NOTIFICATION  <<-END
                    The password for user ${USER} will expire in 1 day.
                END
                mail -s "Your password is about to expire." $USER  <<-END
                        Dear ${USER},
                        your password will expire in 1 day. It is critical you change
                        it TODAY.

                        To change your password please go to ${CHANGEURL},
                        select Preferences 
                        and change your password in the Login Options section
                        --
                        IT Support 
                END
    logger -p cron.info -t PASSWORD_EXPIRE - $USER was notified. $REM days remain.

  elif [[ $DIF -ge $EXWARNVAL ]]; then
    WARN=1
    WARNIT=0
    echo -n " WARNING user password will expire in $REM days."
            mail -s "Your password is about to expire." $USER  <<-END
                Dear ${USER},
                your password will expire in ${REM} days. If you do not change it soon
                you will not be able to login. It would be a good idea to change it now.

                To change your password please go to ${CHANGEURL}
                Select Preferences 
                and change your password in the Login Options section
                
                --
                IT Support 
            END
    logger -p cron.info -t PASSWORD_EXPIRE - $USER was notified. $REM days remain.

  else
    WARN=0
    WARNIT=0
  fi

[maumar]

i would add this change:

Code:

  DAYCUR=$((`date -d $CURDATE +%s` / 86400 ))
  DAYCHANGE=$((`date -d $CHANGEDATE +%s` / 86400 ))
  DIF=$(($DAYCUR - $DAYCHANGE))