Differences
This shows you the differences between two versions of the page.
linux_wiki:freeipa_report_password_expiry [2018/06/02 23:03] billdozor created |
linux_wiki:freeipa_report_password_expiry [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Freeipa Report Password Expiry ====== | ||
- | |||
- | **General Information** | ||
- | |||
- | Intended to be run daily via cron, this script will: | ||
- | * Check all user accounts for an upcoming password expiration | ||
- | * Auto disable accounts that have been expired for a certain amount of time | ||
- | * Notify users about auto disabled account or upcoming password expiration | ||
- | * Create a summary report and e-mail to the admins | ||
- | |||
- | **Checklist** | ||
- | * Distro(s): | ||
- | * Other: [[http:// | ||
- | |||
- | ---- | ||
- | |||
- | ====== The Script ====== | ||
- | |||
- | Run this script **daily via cron** on your FreeIPA server. | ||
- | <code bash cron_report-password-expiry.sh> | ||
- | #!/bin/bash | ||
- | # Name: cron_report-password-expiry.sh | ||
- | # Description: | ||
- | # -Check all user accounts for an upcoming password expiration | ||
- | # -Auto disable accounts that have been expired for a certain amount of time | ||
- | # -Notify users about auto disabled account or upcoming password expiration | ||
- | # -Create a summary report and e-mail to the admins | ||
- | # Last Updated: 2018-05-31 | ||
- | # Recent Changes: | ||
- | ############################################################################################### | ||
- | |||
- | # | ||
- | ##### Customize These Variables ##### | ||
- | # | ||
- | |||
- | # Admin credentials: | ||
- | admin_user=" | ||
- | admin_pass=' | ||
- | |||
- | # Email password expiry summary report to | ||
- | email_to=" | ||
- | |||
- | # FreeIPA self service portal URL (included in user reminder email) | ||
- | self_service_portal=" | ||
- | |||
- | # Auto disable user account when password expired for many days? | ||
- | auto_disable_days=-4 | ||
- | |||
- | # Warn about passwords expiring in how many days or less? | ||
- | password_expiry_warn_days=14 | ||
- | |||
- | # Users are sent password expiration reminder emails on these days left until expiry | ||
- | remind_on_days=(14 7 3 1 0) | ||
- | |||
- | # Temp files for building e-mail messages | ||
- | password_report_email="/ | ||
- | password_report_disabled_users="/ | ||
- | password_expiry_email="/ | ||
- | |||
- | # | ||
- | ##### End of Customize Variables ##### | ||
- | # | ||
- | |||
- | # | ||
- | #### Functions Here: Main Starts After #### | ||
- | # | ||
- | |||
- | # Create the initial summary report layout/ | ||
- | function create_report_header() { | ||
- | |||
- | # Clear out email temp file contents | ||
- | cat /dev/null > ${password_report_email} | ||
- | cat /dev/null > ${password_report_disabled_users} | ||
- | |||
- | # Overwrite temp file contents | ||
- | echo -e "---- FreeIPA User Expiration Report ----" > ${password_report_email} | ||
- | echo -e " | ||
- | echo -e " | ||
- | echo -e "Users are sent password expiration warning emails on days: ${remind_on_days[@]}" | ||
- | |||
- | # Setup report header | ||
- | echo -e " | ||
- | echo -e " | ||
- | echo -e " | ||
- | |||
- | } | ||
- | |||
- | # Add usernames and days left until expiration to the report | ||
- | function add_to_report() { | ||
- | |||
- | # Set variables passed to the function | ||
- | username=${1} | ||
- | expires_in_days=${2} | ||
- | expires_in_secs=${3} | ||
- | expires_on_epoch=${4} | ||
- | |||
- | # Determine the friendly looking expiration date | ||
- | userpw_expiry_date_long=$(date --date=" | ||
- | |||
- | # Determine day_format (Day vs Days) | ||
- | if [[ ${expires_in_days} -eq 1 || ${expires_in_days} -eq -1 ]]; then | ||
- | day_format=" | ||
- | else | ||
- | day_format=" | ||
- | fi | ||
- | |||
- | # Determine if expiring in the future or if already expired | ||
- | if [[ ${expires_in_days} -le 0 ]]; then | ||
- | if [[ ${expires_in_secs} -le 0 ]]; then | ||
- | # expired now | ||
- | dialog_expires=" | ||
- | else | ||
- | # expiring less than a day | ||
- | dialog_expires=" | ||
- | fi | ||
- | else | ||
- | # expiring on a future day | ||
- | dialog_expires=" | ||
- | fi | ||
- | |||
- | # Status message | ||
- | echo " | ||
- | |||
- | ## Add user account and expiration line to report file | ||
- | if [[ $(echo ${username} | wc --max-line-length) -lt 8 ]]; then | ||
- | # If less than 8 character username, use two tabs | ||
- | echo -e " | ||
- | else | ||
- | # If 8 or more characters, use one tab | ||
- | echo -e " | ||
- | fi | ||
- | |||
- | } | ||
- | |||
- | # Add usernames that have been disabled to a disabled list | ||
- | function add_to_disabled_list() { | ||
- | |||
- | # Set variables passed to the function | ||
- | username=${1} | ||
- | |||
- | # Status message | ||
- | echo " | ||
- | |||
- | ## Add user account and expiration line to report file | ||
- | echo -e " | ||
- | |||
- | } | ||
- | |||
- | # Add usernames that have been disabled to the end of the email report | ||
- | function add_disabled_list_to_report() { | ||
- | |||
- | # Setup disabled users header | ||
- | echo -e " | ||
- | echo -e "Users that have been automatically disabled" | ||
- | echo -e " | ||
- | |||
- | # Add Disabled Users to end of report | ||
- | if [[ -s ${password_report_disabled_users} ]]; then | ||
- | # If file size is greater than 0, add content to report | ||
- | cat ${password_report_disabled_users} >> ${password_report_email} | ||
- | else | ||
- | # If file size is 0, give a status message | ||
- | echo "No users auto disabled during this script run." >> ${password_report_email} | ||
- | fi | ||
- | |||
- | } | ||
- | |||
- | # Email user to notify them that their account was auto disabled | ||
- | function notify_disabled_user(){ | ||
- | |||
- | # Set username from passed variable | ||
- | username=${1} | ||
- | |||
- | # Status message | ||
- | echo " | ||
- | |||
- | # Gather email address, first name for the email | ||
- | name_email=" | ||
- | first_name=" | ||
- | user_email_address=" | ||
- | |||
- | # Email user notification that their account has been disabled | ||
- | echo -e " | ||
- | |||
- | } | ||
- | |||
- | # Email user a reminder of their upcoming password expiration | ||
- | function email_user_reminder() { | ||
- | |||
- | # Set variables passed to the function | ||
- | username=${1} | ||
- | expires_in_days=${2} | ||
- | expires_in_secs=${3} | ||
- | expires_on_epoch=${4} | ||
- | |||
- | # Determine day_format (Day vs Days) | ||
- | if [[ ${expires_in_days} -eq 1 ]]; then | ||
- | day_format=" | ||
- | else | ||
- | day_format=" | ||
- | fi | ||
- | |||
- | # Determine if expiring in the future or if already expired | ||
- | if [[ ${expires_in_days} -le 0 ]]; then | ||
- | if [[ ${expires_in_secs} -le 0 ]]; then | ||
- | # expired now | ||
- | dialog_expires_subject=" | ||
- | dialog_expires_body=" | ||
- | else | ||
- | # expiring in less than a day | ||
- | dialog_expires_subject=" | ||
- | dialog_expires_body=" | ||
- | fi | ||
- | else | ||
- | # expiring on a future day | ||
- | dialog_expires_subject=" | ||
- | dialog_expires_body=" | ||
- | fi | ||
- | |||
- | # Gather email address, first name, and friendly date for the email | ||
- | name_email=" | ||
- | first_name=" | ||
- | user_email_address=" | ||
- | userpw_expiry_date_long=$(date --date=" | ||
- | |||
- | ## Create email message file to send user | ||
- | echo " | ||
- | |||
- | echo -e " | ||
- | |||
- | echo -e " | ||
- | |||
- | echo -e " | ||
- | |||
- | echo -e " | ||
- | |||
- | echo -e "\n== Change Password: CLI Method ==" >> ${password_expiry_email} | ||
- | |||
- | echo -e " | ||
- | echo "--You will be prompted for your current password and then new password twice." | ||
- | echo " | ||
- | |||
- | echo -e "\n== Change Password: Web Portal Method ==" >> ${password_expiry_email} | ||
- | |||
- | echo -e " | ||
- | |||
- | echo -e " | ||
- | echo " | ||
- | echo " | ||
- | echo " | ||
- | echo " | ||
- | echo " | ||
- | |||
- | echo -e " | ||
- | |||
- | echo -e " | ||
- | echo " | ||
- | echo " | ||
- | echo " | ||
- | echo " | ||
- | echo " | ||
- | echo " | ||
- | |||
- | echo -e "\nIf you have any questions, please contact your System Administrators." | ||
- | |||
- | echo -e " | ||
- | echo " | ||
- | |||
- | # Status message | ||
- | echo " | ||
- | |||
- | ## E-mail the password expiry warning to the user | ||
- | / | ||
- | |||
- | # Allow some time for the message to exit the queue | ||
- | sleep 5 | ||
- | |||
- | # Clear out email contents | ||
- | cat /dev/null > ${password_expiry_email} | ||
- | |||
- | } | ||
- | |||
- | # | ||
- | #### End of Functions #### | ||
- | # | ||
- | |||
- | # | ||
- | #### Main Starts Here #### | ||
- | # | ||
- | |||
- | # Initialize a kerberos ticket as admin and wait a short time | ||
- | echo ${admin_pass} | / | ||
- | sleep 3 | ||
- | |||
- | # Build a list of enabled accounts | ||
- | #- Find all users | grep logins and disabled status lines | | ||
- | #- If the current line matches " | ||
- | #- next, store the current line's field 3 in the variable username (username=$3) | ||
- | user_list=$(/ | ||
- | |||
- | # Get today' | ||
- | todays_epoch=$(date +%s) | ||
- | |||
- | # Create the system admin report header | ||
- | create_report_header | ||
- | |||
- | #### Main Loop #### | ||
- | for user in ${user_list}; | ||
- | |||
- | echo " | ||
- | |||
- | # Get user's password expiration and cut off the zulu time designator trailing at the end(' | ||
- | userpw_expiry_datetime=$(/ | ||
- | |||
- | # If the user account does not have a password expiration value, skip the user | ||
- | if [[ -z ${userpw_expiry_datetime} ]]; then | ||
- | continue | ||
- | fi | ||
- | |||
- | # Split up the year, | ||
- | userpw_expiry_date_year=" | ||
- | userpw_expiry_date_month=" | ||
- | userpw_expiry_date_day=" | ||
- | userpw_expiry_time_hour=" | ||
- | userpw_expiry_time_min=" | ||
- | userpw_expiry_time_sec=" | ||
- | |||
- | # Caculate the user's expiry date in epoch time | ||
- | userpw_expiry_epoch=$(date --utc --date=" | ||
- | |||
- | # Calculate how many seconds and days until password expiration | ||
- | password_expires_seconds=$(expr ${userpw_expiry_epoch} - ${todays_epoch}) | ||
- | password_expires_days=$(expr ${password_expires_seconds} / 86400) | ||
- | |||
- | # If the password expires in ' | ||
- | # -Disable user if the password has been expired <= to the auto_disable_days | ||
- | # -Check to see if we should email the user on the remind_on_days | ||
- | # -Add user to the system admin report | ||
- | if [[ ${password_expires_days} -le ${password_expiry_warn_days} ]]; then | ||
- | |||
- | # if password has been expired for ' | ||
- | if [[ ${password_expires_days} -le ${auto_disable_days} ]]; then | ||
- | echo " | ||
- | / | ||
- | |||
- | # Add disabled account to a list for inclusion at the footer of the system admin report | ||
- | add_to_disabled_list ${user} | ||
- | |||
- | # Email the user and notify them that their account was auto disabled | ||
- | notify_disabled_user ${user} | ||
- | else | ||
- | # Not auto disabling user, add the user to the system admin report | ||
- | add_to_report ${user} ${password_expires_days} ${password_expires_seconds} ${userpw_expiry_epoch} | ||
- | |||
- | # Check to see if the user should be reminded of their upcoming passowrd expiry | ||
- | # Loop through array of days to send the email reminder on | ||
- | for reminder_day in " | ||
- | |||
- | # If days left before user's password expires matches a reminder day, send an email to the user | ||
- | if [[ ${password_expires_days} -eq ${reminder_day} ]]; then | ||
- | email_user_reminder ${user} ${password_expires_days} ${password_expires_seconds} ${userpw_expiry_epoch} | ||
- | break | ||
- | fi | ||
- | done | ||
- | fi | ||
- | |||
- | fi | ||
- | done | ||
- | #### End Main Loop #### | ||
- | |||
- | # Add disabled users list to the end of email report | ||
- | add_disabled_list_to_report | ||
- | |||
- | # Status message | ||
- | echo ">> | ||
- | |||
- | # Use the date-time from the beginning of the script | ||
- | todays_date_long=$(date --date=" | ||
- | |||
- | # Email Report | ||
- | / | ||
- | |||
- | # Wait a bit for the message queue to get sent | ||
- | sleep 5 | ||
- | |||
- | # Clear out email temp file contents | ||
- | cat /dev/null > ${password_report_email} | ||
- | cat /dev/null > ${password_report_disabled_users} | ||
- | </ | ||
- | |||
- | ---- | ||