[Freeipa-users] Still trying to implement password expiration warnings

Fri, 23 Dec 2016 02:54:08 -0800 

Hello.
Earlier this year I tried to re-implement a "password expiration warning" email when using IPA 4.x. I hit a wall and ended up deciding to look at this later. Now is later :) 


The plan is to use ldapsearch to check for krbLastPwdChange and compare 
it to krbPasswordExpiration, but these attributes seem to be hidden 
unless one is authenticating (through Kerberos?).


This is with RHEL 7 and IPA 4.2.0.

I have done:

# ipa service-add PWDREMIND/script.host.fqdn

# ipa-getkeytab -s script.host.fqdn -k /etc/gssproxy/pwdremind.keytab -p 
PWDREMIND/script.host.fqdn


...and I have a file /etc/gssproxy/pwdremind.keytab

I added a section to /etc/gssproxy/gssproxy.conf :

[service/PWDREMIND]
  mechs = krb5
  cred_store = client_keytab:/etc/gssproxy/pwdremind.keytab
  cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
  cred_usage = initiate
  euid = 0
  debug = true

In my "pwdcheck.sh" script I have the following:

#!/bin/bash
export GSS_USE_PROXY="yes"


ldapsearch -z 500 -Y GSSAPI -h ipa.host.fqdn -b 
cn=users,cn=accounts,dc=example,dc=net 
"(&(!(nsAccountLock=TRUE))(krbLastPwdChange<=$(date +%Y%m%d --date='-1 
week')000000Z)(krbPasswordExpiration<=$(date +%Y%m%d --date='+1 
week')000000Z))" uid |grep ^uid|cut -d: -f2 |while read uid

do

    ldapsearch -z 500 -Y GSSAPI -h ipa.host.fqdn -b 
cn=users,cn=accounts,dc=example,dc=net "uid=${uid}" mail|grep ^mail|cut 
-d: -f2 | while read mail

    do

        echo "password expires in less than a week: username=$uid 
mail=$mail"

    done
done

Checking the journalctl for gssproxy I get:


Dec 23 11:36:35 script.host.fqdn gssproxy[26977]: (OID: { 1 2 840 113554 
1 2 2 }) Unspecified GSS failure.  Minor code may provide more 
information, No credentials cache found
Dec 23 11:36:35 script.host.fqdn gssproxy[26976]: gssproxy[26977]: (OID: 
{ 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may 
provide more information, No credentials cache found



Does anyone see where things are going wrong here or have some 
suggestions on what I should try?


Regards
Eivind Olsen

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project














    











					Reply via email to