This script will browse the LDAP directory a look for entries that uses password policy. If the user's password will expire soon, a mail is sent. It wa only tested with OpenLDAP (ppolicy overlay).
This shell script must be run as a cronjob. You can run it daily.
It requires :
It was tested for GNU/Linux and SunOS 5.8.
There is no command line parameter:
sh checkLdapPwdExpiration.sh
Logs are sent trough STDOUT and STDERR:
sh checkLdapPwdExpiration.sh 1>result.log 2>audit.log
Sample log files:
--- Statistics --- Users checked: 5 Account expired: 1 Account in warning: 1
No password policy for coudot Password expired for sbahloul No password change date for tchemineau No password change date for rouazana Mail sent to user farmand (farmand@example.com)
Edit the script to adapt configuration:
MY_LDAP_HOSTURI: LDAP URIMY_LDAP_ROOTDN (optional): DN to use to bind. No DN means anonymousMY_LDAP_ROOTPW: PasswordMY_LDAP_DEFAULTPWDPOLICYDN: Default password policy DN. Do not set if no default policy is used. In this case, the script will ony affect users with password policy in their entry (pwdPolicySubentry)MY_LDAP_SEARCHBASE: Users search baseMY_LDAP_SEARCHFILTER: Users search filterMY_LDAP_SEARCHBIN: Path to ldapsearch binaryMY_MAIL_DELAY: Time before expiration where a mail is sent. No mail sent after expiration. If no value, the script will take the pwdExpireWarning of the password policyMY_LDAP_NAME_ATTR: attribute containing user's nameMY_LDAP_LOGIN_ATTR: attribute containing user's loginMY_LDAP_MAIL_ATTR:attribute containing user's nameMY_MAIL_BODY: message bodyMY_MAIL_SUBJECT: message subjectMY_MAIL_BIN: mail binaryMY_LOG_HEADER: log headerMY_GAWK_BIN: path to gawk binary