[Fedora-directory-users] Detecting password changes in fds

[Bliss, Aaron]

Hi everyone, I thought that others may find this useful; we have
migrated away from local accounts to fds, but needed a way to detect
password changes to user objects in fds; there are 2 scripts involved
with this; the first will generate a list of uids and their password
expiration times ; the second script (a perl script) will use epoch time
to determine if a given users password expiration time is 90 days from
today; the scripts assume that there is an fds password policy set that
will force user object passwords to expire 90 days after being set.  I'm
sure that others will be able to make these scripts more efficient, but
they do get the job done....Enjoy.

Aaron

#!/bin/bash

#this script is designed to detect user for password changes
#located in the ldap directory
#this script assumes your password policy is set so that user object's
#will have a passwordExpiration time of 90 days after settting their
passwords

#generate a list of dn's
ldapsearch -b ou=Users,dc=preferredcare,dc=org -x -ZZ uid | grep '^uid'
| awk ' {print $2}' | sort > /tmp/listdns

#lets process our logs
exec < /tmp/listdns
while read line
do
pswar=`ldapsearch -x -ZZ "(uid=$line)" passwordexpirationtime | grep
passwordexpirationtime | grep -v '#' | awk '{print $2}' | cut -c 1-8`

#setup some vars for the check
pwmonth=`echo $pswar | cut -c 5-6`
pwday=`echo $pswar | cut -c 7-8`
pwyear=`echo $pswar | cut -c 1-4`
pwuser=`echo $line | awk '{ print $1}'`

if [ -e /tmp/$pwuser.out ] ; then
  rm -f /tmp/$pwuser.out
fi
#perl script expects input year month day
/myepoch.pl $pwyear $pwmonth $pwday $pwuser
#  echo $line | awk '{ print $1}'
#this is going to get our expiration dates for us
#check to see if the temp file was created
if [ -e /tmp/$pwuser.out ] ; then
  echo "$pwuser password was chagned"
fi
Done

#! /usr/bin/perl
use strict;
use warnings;
use Time::Local;

#epoch secs for 2 weeks equal 1209600
#setup vars that were passed in year, month, day in that order
my $varpass0 = $ARGV[0];
my $varpass1 = $ARGV[1];
my $varpass2 = $ARGV[2];
my $varpass3 = $ARGV[3];

#timelocal doesn't work for dates past the year 2038
if ($varpass0 >= 2038) {
   exit 0;
   }

#get todays date and format it properly
#beaware localtime is going to format year-1900 and month-1
my ($mday,$mmonth,$myear) = (localtime(time)) [3,4,5];
my $epdate = timelocal (0,0,0,$mday,$mmonth,$myear);

#get epoch date for when password will expire
#we have to format what was passed to us to make it usable by timelocal
my $varpass00 = $varpass0 - 1900;
my $varpass11 = $varpass1 - 1;
my $passexp = timelocal (0,0,0,$varpass2,$varpass11,$varpass00);

#subtract password expiration from today and see what we get
my $passans = ($passexp - $epdate) / 86400;

#lets see where we stand
#and send a warning to the end users if necessary
my $passans1 = int($passans);

#set this to be 1 less than your password expiration policy
if ($passans > 89) {
        open(NEW, "> /tmp/$varpass3.out");
        print NEW "$passans1\n";
        close NEW;
}

Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information.  If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited.  If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20070213/c60cec50/attachment.html>