Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/noahbliss/freeipa-pen

Password Expiration Notifications for FreeIPA
https://github.com/noahbliss/freeipa-pen

freeipa freeipa-server

Last synced: about 2 months ago
JSON representation

Password Expiration Notifications for FreeIPA

Host: GitHub
URL: https://github.com/noahbliss/freeipa-pen
Owner: noahbliss
License: gpl-3.0
Created: 2021-01-14T23:50:55.000Z (almost 4 years ago)
Default Branch: main
Last Pushed: 2021-01-18T18:42:10.000Z (almost 4 years ago)
Last Synced: 2024-08-01T10:17:46.451Z (5 months ago)
Topics: freeipa, freeipa-server
Language: Shell
Homepage:
Size: 34.2 KB
Stars: 8
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome - noahbliss/freeipa-pen - Password Expiration Notifications for FreeIPA (others)

README

# freeipa-pen
## Password Expiration Notifications for FreeIPA

FreeIPA-PEN is a bash script designed to be installed on an IPA server and invoked by cron. It sends emails to users to alert of imminent password expiration. It can also email an admin user a report on soon-to-expire and already expired accounts.

`install.sh` copies `mailer.sh` and `mailer.conf` to `/etc/passexp/` and sets sane permissions.

Configuration before use is required and can be done in the `mailer.conf` file.
You will also need:
- a FreeIPA System (Service) Account - [FreeIPA-SAM](https://github.com/noahbliss/freeipa-sam) can help
- users in FreeIPA with valid "mail" values
- `mailx` installed
- a mail server that will accept and route notification messages (easiest way would probably be an internal open relay with only the FreeIPA server whitelisted)

### There are two functions which may be called as arguements:

## notify_users
```
./mailer.sh notify_users
```
Example cron entry (every day at 7a):
```
0 7 * * * /etc/passexp/mailer.sh notify_users
```

This function is designed to be run every day. It queries users in LDAP via a system account configured in mailer.conf and sends an email to the user's email address if it exists and the expiration of their password falls within the notification window.

## admin_report
```
./mailer.sh admin_report
```
Example cron entry (first of the month at 7:05a):
```
5 7 1 * * /etc/passexp/mailer.sh admin_report
```

This function is designed to be run at less regular intervals, like every week or month. It enumerates enabled accounts that do not have a valid mail value and lists them in a report for your administrator before they expire. It also includes a list of enabled but expired accounts for review.

## Notes:
There is a known-limitation as part of the design, admin_report will _not_ rescan LDAP, rather it uses the output fetched via notify_users. So make sure you run notify_users first.