[[linux_wiki:freeipa_report_users_disabled]]

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux_wiki:freeipa_report_users_disabled [2018/06/03 03:32]
billdozor created
linux_wiki:freeipa_report_users_disabled [2019/05/26 03:50]
Line 1: Line 1:
-====== FreeIPA Report Users Disabled ====== 
- 
-**General Information** 
- 
-Run this script periodically via cron in order to report on disabled user accounts and how long their password has been expired. ​ 
- 
-**Checklist** 
-  * Distro(s): Enterprise Linux 6/7 
-  * Other: [[http://​www.unixmen.com/​configure-freeipa-server-centos-7/​|FreeIPA Server Installed]] (script runs there) 
- 
----- 
- 
-====== The Script ====== 
- 
-<code bash report-users-disabled.sh>​ 
-#!/bin/bash 
-# Name: report-users-disabled.sh 
-# Description:​ Report what users are disabled and how long a password is expired 
-# Last Updated: 2018-04-10 
-# Recent Changes:​-Initial release 
-###############################################################################################​ 
- 
-#​==================================== 
-##### Customize These Variables ##### 
-#​==================================== 
- 
-# admin credentials 
-admin_user="​admin"​ 
-admin_pass='​adminpwhere'​ 
- 
-# email report to system admins 
-system_admins_email="​systemadmins@yourdomain.org"​ 
- 
-# Temp files for e-mail message 
-report_email="/​root/​ldap-scripts/​tmp/​report-users-disabled_email"​ 
-report_users_over_limit="/​root/​ldap-scripts/​tmp/​report-users-disabled_overlimit"​ 
- 
-# Expired Since Days Limit 
-expired_since_limit=-90 
- 
-#​===================================== 
-##### End of Customize Variables ##### 
-#​===================================== 
- 
-#​========================================== 
-#### Functions Here: Main Starts After #### 
-#​========================================== 
- 
-# Create the initial report layout/​header 
-function create_report_header() { 
- 
-# Clear out email temp file contents 
-cat /dev/null > ${report_email} 
-cat /dev/null > ${report_users_over_limit} 
- 
-# Setup report header 
-echo -e "---- FreeIPA Users Disabled Report ----" > ${report_email} 
-echo -e "​\nAccounts that are currently disabled and when their password expired."​ >> ${report_email} 
- 
-echo -e "​\n-----------------------------------------------------------------"​ >> ${report_email} 
-echo -e "​Disabled Accounts pw expired <= ${expired_since_limit} days ago" >> ${report_email} 
-echo -e "​-----------------------------------------------------------------"​ >> ${report_email} 
- 
-} 
- 
-# Add disabled usernames and days since expiration to the report 
-function add_to_report() { 
- 
-# Determine report type (top or bottom) 
-if [[ ${1} == "​report_top"​ ]]; then 
-  report_type=${report_email} 
-elif [[ ${1} == "​report_bottom"​ ]]; then 
-  report_type=${report_users_over_limit} 
-else 
-  echo -e ">>​ ERROR! No report type determined. Assuming top of report."​ 
-  report_type=${report_email} 
-fi 
- 
-# Set variables passed to the function 
-username=${2} 
-expires_in_days=${3} 
-expires_on_epoch=${4} 
- 
-# Determine the friendly looking expiration date 
-userpw_expiry_date_long=$(date --date="​@${expires_on_epoch}"​) 
- 
-# Create expired dialog for report 
-dialog_expires="​${expires_in_days} days (${userpw_expiry_date_long})"​ 
- 
-# Status message 
-echo "​--Adding ${username} to password report."​ 
- 
-## Add user account and expiration line to report file 
-if [[ $(echo ${username} | wc --max-line-length) -lt 8 ]]; then 
-  # If less than 8 character username, use two tabs 
-  echo -e "​${username}\t\t${dialog_expires}"​ >> ${report_type} 
-else 
-  # If 8 or more characters, use one tab 
-  echo -e "​${username}\t${dialog_expires}"​ >> ${report_type} 
-fi 
- 
-} 
- 
-# Add disabled usernames that have been expired > ${expired_since_limit} 
-function add_to_expired_over_list() { 
- 
-# Set variables passed to the function 
-username=${1} 
-expires_in_days=${2} 
-expires_on_epoch=${3} 
- 
-# Determine the friendly looking expiration date 
-userpw_expiry_date_long=$(date --date="​@${expires_on_epoch}"​) 
- 
-# Status message 
-echo "​--Adding ${username} to expired over limit report."​ 
- 
-# Create expired dialog for report 
-dialog_expires="​${expires_in_days} days (${userpw_expiry_date_long})"​ 
- 
-## Add user account and expiration line to report file 
-if [[ $(echo ${username} | wc --max-line-length) -lt 8 ]]; then 
-  # If less than 8 character username, use two tabs 
-  echo -e "​${username}\t\t${dialog_expires}"​ >> ${report_users_over_limit} 
-else 
-  # If 8 or more characters, use one tab 
-  echo -e "​${username}\t${dialog_expires}"​ >> ${report_users_over_limit} 
-fi 
- 
-} 
- 
-# Add usernames that have been disabled > limit to the end of the email report 
-function add_over_limit_list_to_report() { 
- 
-# Setup disabled users > expiry limit header 
-echo -e "​\n\n----------------------------------------------------------------"​ >> ${report_email} 
-echo -e "​Disabled Accounts pw expired > ${expired_since_limit} days ago" >> ${report_email} 
-echo -e "​----------------------------------------------------------------"​ >> ${report_email} 
- 
-# Add Disabled Users expired > ${expired_since_limit} to end of report 
-if [[ -s ${report_users_over_limit} ]]; then 
-  # If file size is greater than 0, add content to report 
-  cat ${report_users_over_limit} >> ${report_email} 
-else 
-  # If file size is 0, give a status message 
-  echo "No user accounts expired > ${expired_since_limit} days ago." >> ${report_email} 
-fi 
- 
-} 
- 
-#​========================= 
-#### End of Functions #### 
-#​========================= 
- 
-#​========================= 
-#### Main Starts Here #### 
-#​========================= 
- 
-# Initialize a kerberos ticket as admin and wait a short time 
-echo ">>​ Initializing kerberos ticket, please wait..."​ 
-echo ${admin_pass} | /​usr/​bin/​kinit ${admin_user} 
-sleep 3 
- 
-# Build a list of disabled accounts 
-#- Find all users | grep logins and disabled status lines | 
-#- If the current line matches "​True"​ (/True/), print the stored username (print username), 
-#- next, store the current line's field 3 in the variable username (username=$3) 
-user_list=$(/​usr/​bin/​ipa user-find --sizelimit=0 --all | grep -E "(User login|Account disabled)"​ | awk '/​True/​ { print username }; { username=$3 }') 
- 
-# Get today'​s epoch time (seconds since Jan 1st, 1970, midnight UTC) 
-todays_epoch=$(date +%s) 
- 
-# Create the report header 
-create_report_header 
- 
-#### Main Loop #### 
-for user in ${user_list};​ do 
- 
-  echo "​Checking expiry for ${user}..."​ 
- 
-  # Get user's password expiration and cut off the zulu time designator trailing at the end('​Z'​) 
-  userpw_expiry_datetime=$(/​usr/​bin/​ipa user-show ${user} --all | grep krbpasswordexpiration | awk '​{print $2}' | cut -c 1-14) 
- 
-  # If the user account does not have a password expiration value, skip the user 
-  if [[ -z ${userpw_expiry_datetime} ]]; then 
-    # Skip to next user in user_list 
-    continue 
-  fi 
- 
-  # Split up the year,​month,​day,​hour,​min,​ and sec from the datetime string 
-  userpw_expiry_date_year="​$(echo ${userpw_expiry_datetime} | cut -c 1-4)" 
-  userpw_expiry_date_month="​$(echo ${userpw_expiry_datetime} | cut -c 5-6)" 
-  userpw_expiry_date_day="​$(echo ${userpw_expiry_datetime} | cut -c 7-8)" 
-  userpw_expiry_time_hour="​$(echo ${userpw_expiry_datetime} | cut -c 9-10)" 
-  userpw_expiry_time_min="​$(echo ${userpw_expiry_datetime} | cut -c 11-12)"​ 
-  userpw_expiry_time_sec="​$(echo ${userpw_expiry_datetime} | cut -c 13-14)"​ 
- 
-  # Caculate the user's expiry date in epoch time 
-  userpw_expiry_epoch=$(date --utc --date="​${userpw_expiry_date_year}-${userpw_expiry_date_month}-${userpw_expiry_date_day} ${userpw_expiry_time_hour}:​${userpw_expiry_time_min}:​${userpw_expiry_time_sec}"​ +%s) 
- 
-  # Calculate how many seconds and days until password expiration 
-  password_expires_seconds=$(expr ${userpw_expiry_epoch} - ${todays_epoch}) 
-  password_expires_days=$(expr ${password_expires_seconds} / 86400) 
- 
- 
-  # if password has been expired for >= expired_since_limit,​ add to special list 
-  if [[ ${password_expires_days} -le ${expired_since_limit} ]]; then 
-    echo "-> User account has been expired for >= ${expired_since_limit} days: ${user} (${password_expires_days})"​ 
-    #​add_to_expired_over_list ${user} ${password_expires_days} ${userpw_expiry_epoch} 
-    add_to_report "​report_bottom"​ ${user} ${password_expires_days} ${userpw_expiry_epoch} 
-  else 
-    # Otherwise, add the expired user to the main section of the report 
-    echo "-> User account has been expired for < ${expired_since_limit} days: ${user} (${password_expires_days})"​ 
-    #​add_to_report ${user} ${password_expires_days} ${userpw_expiry_epoch} 
-    add_to_report "​report_top"​ ${user} ${password_expires_days} ${userpw_expiry_epoch} 
-  fi 
- 
-done 
-#### End Main Loop #### 
- 
-# Add disabled users that expired longer ago to the end of email report 
-add_over_limit_list_to_report 
- 
-# Status message 
-echo ">>​Emailing report to ${system_admins_email}..."​ 
- 
-# Use the date-time from the beginning of the script 
-todays_date_long=$(date --date="​@${todays_epoch}"​) 
- 
-# Email Report 
-/​usr/​bin/​mail -s "​FreeIPA Users Disabled Report - ${todays_date_long}"​ ${system_admins_email} < ${report_email} 
- 
-# Clear out email temp file contents 
-cat /dev/null > ${report_email} 
-cat /dev/null > ${report_users_over_limit} 
-</​code>​ 
- 
----- 
  
  • linux_wiki/freeipa_report_users_disabled.txt
  • Last modified: 2019/05/26 03:50
  • (external edit)