Well, it turns out that the passwordExpWarned attribute doesn't get changed either if a user authenticates to a server with a key via ssh; so I had to redesign how the script works; I figured that it's probably best to give the users the actual number of days they have before their password will expire. I've actually turned it into 2 scripts, the bash script is used to query the ldap server for password expiration info, and it passes this value to the perl script; Calling this from /etc/profile should work just fine. I thought this might be helpful to other users (perl script was tough for me, as I've never really scripted in perl but couldn't figure out a way to do in bash), so here you go:
#!/bin/bash
#use this script in order to figure out when the users #password is going to expire and give them a heads up about it
#figure out who the user is mynam=`whoami` #create some exceptions to this rule so that they don't get a phony messsage if [ $mynam = root ] ; then exit fi
#pswarn1=`ldapsearch -x -ZZ "(uid=$mynam)" passwordExpWarned | grep passwordExpWarned | grep -v '#' | awk '{print $2}'`
#figure out exactly when their password is going to expire pswar=`ldapsearch -x -ZZ "(uid=$mynam)" passwordexpirationtime | grep passwordexpirationtime | grep -v '#' | awk '{print $2}' | cut -c 1-8`
#setup some variables pwmonth=`echo $pswar | cut -c 5-6` pwday=`echo $pswar | cut -c 7-8` pwyear=`echo $pswar | cut -c 1-4`
#perl script expects input year month day /usr/local/sbin/ck_pass1.pl $pwyear $pwmonth $pwday exit 0
#! /usr/bin/perl use strict; use warnings; use Time::Local;
#epoch secs for 2 weeks equal 1209600 #setup vars that were passed in year, month, day in that order my $varpass0 = $ARGV[0]; my $varpass1 = $ARGV[1]; my $varpass2 = $ARGV[2];
#timelocal doesn't work for dates past the year 2038 if ($varpass0 >= 2038) { print "year passed is too much for this script\n"; exit 0; }
#get todays date and format it properly #beaware localtime is going to format year-1900 and month-1 my ($mday,$mmonth,$myear) = (localtime(time)) [3,4,5]; my $epdate = timelocal (0,0,0,$mday,$mmonth,$myear);
#get epoch date for when password will expire #we have to format what was passed to us to make it usable by timelocal my $varpass00 = $varpass0 - 1900; my $varpass11 = $varpass1 - 1; my $passexp = timelocal (0,0,0,$varpass2,$varpass11,$varpass00);
#subtract password expiration from today and see what we get my $passans = $passexp - $epdate; my $finans2 = $passans / 86400;
#lets see where we stand #and send a warning to the end users if necessary if ($passans <= 1209600) { printf "Warning, Your Ldap password will expire in %.0f", $finans2; print " days\n"; }
-----Original Message----- From: Bliss, Aaron Sent: Monday, February 20, 2006 10:35 AM To: 'General discussion list for the Fedora Directory server project.' Subject: RE: [Fedora-directory-users] Some password policy enforcement information questions
Yep, this issue occurs over ssh.
Aaron
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard Megginson Sent: Monday, February 20, 2006 10:08 AM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Some password policy enforcement information questions
Bliss, Aaron wrote:
Some more trouble with password expiration warnings; I have passwords warnings being displayed to users when they use passwords, however users configured to use key authentication
Do you mean ssh?
do not receive this warnings; has anyone seen this before? This is of course going to be a very big problem for me. Any ideas? Thanks again.
Aaron
-----Original Message----- From: Bliss, Aaron Sent: Wednesday, January 25, 2006 7:48 PM To: General discussion list for the Fedora Directory server project. Subject: RE: [Fedora-directory-users] Some password policy enforcement information questions
Turns out the issue I was having was with my clients; I'm not sure why,
but the administrator before me had "UseLogin Yes" set in /etc/ssh/sshd_config; commenting this out immediately started generating password warnings to users (as configured by the directory server); does anyone know what the UseLogin option is used for?
Thanks.
Aaron
-----Original Message----- From: Bliss, Aaron Sent: Thursday, January 19, 2006 3:15 PM To: 'General discussion list for the Fedora Directory server project.' Subject: RE: [Fedora-directory-users] Some password policy enforcement information questions
Thanks very much for the explanation; makes much sense to me now; I did
some playing around, and got the directory server to spit out to me that your password is going to expire in x amount of days. Thanks
again.
Aaron
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
Megginson Sent: Thursday, January 19, 2006 2:35 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Some password policy enforcement information questions
It looks like the way it works is this: When you have enabled password warning, an operational attribute called
"passwordExpWarned" is created in the user's entry. The value will be 0 until the user does a successful BIND operation and the time between now and the configured password expiration time is less than or equal to the configured password warning time. When this happens, the warning will be sent, the value of passwordExpWarned will be changed to
1, and the operational attribute passwordExpirationTime in the user's entry will be set to the time at which the password will expire. When the user changes the password, passwordExpWarned will be reset to 0 and
passwordExpirationTime will be set to the new expiration time.
Bliss, Aaron wrote:
If I've configured a correct password policy and the warning attribute
is not getting updated, should this be considered a bug?
Aaron
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
Megginson Sent: Thursday, January 19, 2006 1:48 PM To: General discussion list for the Fedora Directory server project. Subject: Re: [Fedora-directory-users] Some password policy enforcement
information questions
Bliss, Aaron wrote:
Please forgive me if I'm asking silly newbie questions, however I'm trying to understand exactly what I'm seeing thru fds; first the policy
I've configured on the directory using the fds console: I've enabled fine-grain password policy for the data unit, including password history enforcement, password expiration after 90 days, password warning 14 days before password expires, check password syntax, account lockout policy enabled after 3 login failures for 120
minutes and reset failure count after 15 minutes.
Everything seems to be working except for send password warning; in
the
client's ldap.conf file, I've enabled pam_lookup_policy yes.
Looking at account information attributes for a user, passwordexpwarnd
value is 0; I've reset users password to try to initialize the password
policy, however this value never seems to change. According to this documentation http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10 7 7 0 81 I believe that this attribute is stored in seconds. Is this true?
Yes.
If so, what can I do to ensure this attribute is getting updated (assuming that this is the attribute responsible for triggering password expiration warning).
I'm not really sure.
Second issue/question: I've looked at this wiki http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very bottom it mentions adding the following
dn: cn=config changetype: modify add: passwordExp passwordExp: on
add: passwordMaxAge passwordMaxAge: 8640000 (this I believe would give a password max age
of 100 days)
Do I need to add these attributes even though I've configured the password policy using fds console has done this for me. Is this the case, I see don't these attributes in the gui, however I do see passwordexpirationtime as an attribute and is set to 90 days from now
(I'm want to ensure that accounts are indeed locked after passwords have expired).
Those attributes are only for global (default) password policy - what you have set for fine grained password policy will override those.
Also, Jim Summers posted to this group that he saw an issue with shadowpasswd / shadowexpire fields not being updated https://www.redhat.com/archives/fedora-directory-users/2005-December/ m s g 00367.html
Can anyone tell me what these fields are used for, as I don't see any
mention of them in this documentation http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10 7 7 0 81
Right. They are a PAM/posix thing - FDS treats them as any other data
- it doesn't update them from it's own password policy.
Thanks again very much.
Aaron
www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
Power and Associates
Confidentiality Notice: The information contained in this electronic message is intended for
the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this
message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in
error, please notify the sender immediately by telephone and destroy the copies you received.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
Confidentiality Notice: The information contained in this electronic message is intended for
the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
Confidentiality Notice: The information contained in this electronic message is intended for
the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
www.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
Bliss, Aaron wrote:
/etc/profile should work just fine. I thought this might be helpful to other users (perl script was tough for me, as I've never really scripted in perl but couldn't figure out a way to do in bash), so here you go:
As it turns out, perl hacking is my hobby :-) Here is your script, improved a bit, and with command line option parsing included.
#!/usr/bin/perl -w
use strict; use Getopt::Long; use Time::Local;
my %o; GetOptions( %o, 'year=i', 'month=i', 'day=i', );
my $year = $o{year}; # exp year my $month = $o{month}; # exp month my $day = $o{day}; # exp day
if (!($year && $month && $day)) { die "Usage: $0 --year YYYY --month MM --day DD\n"; }
my $maxyear = 2038; # highest year for 32-bit systems my $warning = 14; # warning window in days
if ($year >= $maxyear) { die "Max year is $maxyear\n" }
$month -= 1; my $ep_exp = timelocal(0,0,0,$day,$month,$year); my $ep_cur = timelocal(0,0,0, (localtime(time)) [3,4,5]);
# calculate the difference and send a warning if necessary my $days = ($ep_exp - $ep_cur) / 86400; if ($days <= $warning) { print "Warning: Your LDAP password expires in $days days\n"; }
-- mike
389-users@lists.fedoraproject.org