0

I have authentication for Linux, Macs and Windows hanging off of an Apple OS X Server via open directory. I want to expire passwords for my users every 180 days, which is set up and works fine. The trouble is that non-Mac clients, especially Linux users, have no indication that their password is about to expire until they come in one day and their password just fails to work without any enlightening error message.

So I'd like to script the machine such that users get a warning via email a couple days in advance of their password expiring, and then another the day of the expiration. However, the OD LDAP database doesn't appear to have the information stored in it, nor does the output of mkpassdb -dump. Does anyone know how to get that information out of OD in a scriptable way, or otherwise warn Linux users of their passwords' imminent expiration?

palmer
  • 1,279
  • 9
  • 10

1 Answers1

2

We had the exact same problem. I ended up writing a perl script to send the password warning.

Essentially you need to use /usr/bin/pwpolicy -getglobalpolicy and compare the maxMinutesUntilChangePassword line against /usr/sbin/mkpassdb -dump <user slot> and the Last password change line. You can get a user's slot from the third field in the authAuthority attribute in LDAP.

Then some simple calculation to compare the last password change time against the maximum age, and send an email to the user if the password is near expiry.

Edit: On Tiger, mkpassdb does not accept a user slot as an argument. Instead, you can look up the password change time in the kerberos database using kadmin.local -q 'getprinc user@DOMAIN.COM'. You can also retrieve the exact name of the user principal from LDAP.

Kamil Kisiel
  • 11,946
  • 7
  • 46
  • 68
  • Hmm, it appears the Last Password Change line is not available in Tiger Server, no? I should have specified that I'm stuck with Tiger. Is there any way around that? – palmer Aug 06 '09 at 20:25
  • Are you sure? I don't recall the output ever changing. It should be the second line of output. If mkpassdb won't show you, I don't know what else will, password server is what keeps track of these things.. – Kamil Kisiel Aug 06 '09 at 21:11
  • Yeah, mkpassdb doesn't accept the user slot argument in my Tiger instance, and the only date it lists is the last user login. Argh. Perhaps I'm doomed. – palmer Aug 06 '09 at 21:28
  • Apparently you can also get it from the kerberos database. Try kadmin.local -q "getprinc user@DOMAIN.COM". You can retrieve the user's principal name from LDAP as well. – Kamil Kisiel Aug 06 '09 at 22:10
  • Aha. The kadmin.local works on Tiger. Thank you! – palmer Aug 07 '09 at 12:44