[[linux_wiki:freeipa_user_password_reset]]

FreeIPA User Password Reset

General Information

Script that sets an IPA account to a random string and e-mails it to the user with instructions for setting a new password.

Checklist


The Script

Run this script from your FreeIPA server

user-password-reset.sh
#!/bin/bash
# Name: user-password-reset.sh
# Description: Reset a user's password to something random and e-mail them.
# Last Updated: 2016-11-02
# Recent Changes:-Added ipa user-unlock to reset steps
#                -Added argument support for help and username passing
###############################################################################################
 
##### Customize These Variables #####
# admin credentials
admin_user="admin"
 
# system admins email
system_admins_email="sysadmins@example.com"
 
# self-service portal URL
self_service_portal="https://ipaserver.example.com/ipa/ui/"
 
# Temp file for e-mail message
pass_reset_email="/root/ldap-scripts/tmp/user-password-reset_email"
##### End of Customize Variables #####
 
#=====================================
# Functions; Main starts after
#=====================================
function show_usage
{
  echo -e "\n==== IPA: User Password Reset ===="
  echo -e "\nDescripton: Reset a user's password to something random, enable the account and e-mail them."
  echo -e "\n--Usage--"
  echo -e "./user-password-reset.sh [OPTIONS]"
  echo -e "\n-OPTIONS-"
  echo -e "-h                    => Display usage."
  echo -e "-u username           => Username to reset."
  echo -e "\n--Other Requirements--"
  echo -e "-> FreeIPA admin access."
  echo -e
}
 
#=======================
# Get Script Arguments
#=======================
# Reset POSIX variable in case it has been used previously in this shell
OPTIND=1
 
while getopts "hu:" opt; do
  case "${opt}" in
    h) # -h (help) argument
      show_usage
      exit 0
    ;;
    u) # -u (username) argument
      username="${OPTARG}"
    ;;
    *) # invalid argument
      show_usage
      exit 0
    ;;
  esac
done
 
#==================
# Main Starts Here
#==================
 
# Pre-check - see if we have a kerberos ticket, if not, prompt login
/usr/bin/klist -s
if [[ $? -ne 0 ]]; then
  echo ">>No kerberos ticket found for (${admin_user}), login as ${admin_user} now:"
  /usr/bin/kinit ${admin_user}
  echo
fi
 
echo -e "======================================================"
echo -e "####============ IPA: Password Reset =============####"
echo -e "======================================================"
echo
echo -e "This script will set a user's password to something random and e-mail it to them.\n"
 
## If no username argument password, prompt for username
if [[ -z "${username}" ]]; then
  echo -en "=>Username: "
  read username
  echo
fi
 
## Show user info and prompt to reset
/usr/bin/ipa user-show ${username}
echo -e "\n=>Generate a new random password for ${username}?[y/n]:\c"
read reset_password
 
if [[ ${reset_password} != "y" ]]; then
  echo -e "\n>>Will not reset password for ${username}. Exiting..."
  exit 1
fi
 
## Ensure account is enabled
echo -e "\n>>Ensuring account is enabled..."
/usr/bin/ipa user-enable ${username}
 
## Ensure account is unlocked
echo -e "\n>>Ensuring account is unlocked..."
/usr/bin/ipa user-unlock ${username}
 
## Generate a random password, get user's e-mail address and first name
echo -e "\n>>Setting a random password for ${username}..."
random_password="$(/usr/bin/ipa user-mod ${username} --random | grep "Random password" | awk '{print $3}')"
 
## Gather first name and email address
name_email="$(/usr/bin/ipa user-show ${username} | grep -E "(First name|Email address)" | awk '{print $3}')"
first_name="$(echo $name_email | awk '{print $1}')"
email_address="$(echo $name_email | awk '{print $2}')"
 
## Create password reset e-mail file to send user
echo "${first_name}," > ${pass_reset_email}
echo -e "\nHere is your new temporary password for your Linux account (${username}): \n" >> ${pass_reset_email}
echo ${random_password} >> ${pass_reset_email}
 
echo -e "\nLogin with the above temporary password to one of the systems that you have access to." >> ${pass_reset_email}
 
echo -e "\nAlternatively, login to the self-service portal: ${self_service_portal}" >> ${pass_reset_email}
 
echo -e "\nAfter you login with the above temporary password, you will be prompted to change it." >> ${pass_reset_email}
 
echo -e "\nYour new password requirements are:" >> ${pass_reset_email}
echo ">At least 12 characters in length" >> ${pass_reset_email}
echo ">At least 3 types of characters from the following categories:" >> ${pass_reset_email}
echo "--Upper case letters" >> ${pass_reset_email}
echo "--Lower case letters" >> ${pass_reset_email}
echo "--Numbers" >> ${pass_reset_email}
echo "--Special Characters" >> ${pass_reset_email}
 
echo -e "\nIf you have any questions, please contact your System Administrators." >> ${pass_reset_email}
echo -e "\n----\nSystem Administrators" >> ${pass_reset_email}
echo "${system_admins_email}" >> ${pass_reset_email}
 
## E-mail User the random password with login instructions
echo -e "\n>>E-mailing ${email_address} the contents of (${pass_reset_email})..."
/usr/bin/mail -s "Linux Password Reset" -r ${system_admins_email} ${email_address} < ${pass_reset_email}
 
echo -e "\n>>Clearing out contents of temporary file (${pass_reset_email})..."
cat /dev/null > ${pass_reset_email}
 
echo -e "\n==========================================================="
echo -e "####========== User Password Reset Complete ===========####"
echo -e "==========================================================="

  • linux_wiki/freeipa_user_password_reset.txt
  • Last modified: 2019/05/26 03:50
  • (external edit)