[Freeipa-users] How to implement password expiration notifications?
Alexander Bokovoy
abokovoy at redhat.com
Wed Jun 8 12:00:14 UTC 2016
On Wed, 08 Jun 2016, Eivind Olsen wrote:
>We have previously used a script to send "password expiration"
>reminders to our users. The script did this by doing LDAP search and
>checking krbLastPwdChange and krbPasswordExpiration.
>This seems to have stopped working, possibly a while ago. It now looks
>like the script is unable to match anything with the following filter:
>
>"(&(!(nsAccountLock=TRUE))(krbLastPwdChange<=$(date +%Y%m%d --date='-1
>week')000000Z)(krbPasswordExpiration<=$(date +%Y%m%d --date='+1
>week')000000Z))"
>
>...that is, unless I run it manually and tell ldapsearch I want to use
>GSSAPI.
No, you need to be authenticated, no matter how. Anonymous connections
don't have access to majority of attributes in FreeIPA 4.x+.
>What's the best / proper way of implementing something like this on a
>more recent IPA (say, running on RHEL 7.2 with IPA 4.2.0) ? I see some
>possible methods but none of these feel "right":
Make a service (ipa service-add), download a keytab with the key for
this service and use gss-proxy to provide refreshing credentials based
on the keytab to a script that runs periodically.
>
>* I can hardcode an admin user + password in the script, and have it
>run "kinit"
>* I can create a keytab file for a user and use that
>* I can modify ACL/ACIs in 389ds
>
>Am I overlooking a nice and obvious solution? :)
Your 'keytab' solution should be OK but I strongly suggest you to use
service, not user here.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list