[Freeipa-users] How to implement password expiration notifications?
Eivind Olsen
eivind at aminor.no
Wed Jun 8 11:34:48 UTC 2016
We have previously used a script to send "password expiration" reminders
to our users. The script did this by doing LDAP search and checking
krbLastPwdChange and krbPasswordExpiration.
This seems to have stopped working, possibly a while ago. It now looks
like the script is unable to match anything with the following filter:
"(&(!(nsAccountLock=TRUE))(krbLastPwdChange<=$(date +%Y%m%d --date='-1
week')000000Z)(krbPasswordExpiration<=$(date +%Y%m%d --date='+1
week')000000Z))"
...that is, unless I run it manually and tell ldapsearch I want to use
GSSAPI.
What's the best / proper way of implementing something like this on a
more recent IPA (say, running on RHEL 7.2 with IPA 4.2.0) ? I see some
possible methods but none of these feel "right":
* I can hardcode an admin user + password in the script, and have it run
"kinit"
* I can create a keytab file for a user and use that
* I can modify ACL/ACIs in 389ds
Am I overlooking a nice and obvious solution? :)
Regards
Eivind Olsen
More information about the Freeipa-users
mailing list