password expiry email notification

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
g_kos
Posts: 8
Joined: Sat Sep 13, 2014 12:51 am

password expiry email notification

Post by g_kos »

Is it possible to configure zimbra to send out a notification email, specifying that a password will expire in X days, and has to be changed.
thanks

kos
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

password expiry email notification

Post by phoenix »

[quote user="g_kos"]Is it possible to configure zimbra to send out a notification email, specifying that a password will expire in X days, and has to be changed.[/QUOTE]If you're interested in this feature, vote: Bug 26372 – Notify user that their password is going to expire via email or in the webmail UI
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
g_kos
Posts: 8
Joined: Sat Sep 13, 2014 12:51 am

password expiry email notification

Post by g_kos »

ok, is it possible to find out the number of days left for the user's password until expiry, preferably from CLI. Thi sway I can script an email notification in cron.
ArcaneMagus
Elite member
Elite member
Posts: 1138
Joined: Fri Sep 12, 2014 10:25 pm

password expiry email notification

Post by ArcaneMagus »

You could write a script that uses the zimbraPasswordMaxAge and zimbraPasswordModifiedTime options to check it for an account.
zmprov ga user@domain.com zimbraPasswordMaxAge

zmprov ga user@domain.com zimbraPasswordModifiedTime
g_kos
Posts: 8
Joined: Sat Sep 13, 2014 12:51 am

password expiry email notification

Post by g_kos »

thanks arcane,
i'am writing a script that will go thrugh all the accounts on izmbra, and would send an email notification say, every day a week before the expiration date.


I totally forgot about the zmprov ga :)

so took a slightly different approach.
ldapsearch -w password -D uid=zimbra,cn=admins,cn=zimbra -x -h 192.168.xx.xx -b ou=people,dc=domain,dc=com "(&(objectclass=posixAccount)(objectclass=sambaSamAccount))" | awk '/zimbraPasswordModifiedTime:/ {print substr($2,1,8)}'


would post a complete script once I finish it
g_kos
Posts: 8
Joined: Sat Sep 13, 2014 12:51 am

password expiry email notification

Post by g_kos »

guys,
i have wrote a script that would do the job.

it is invoked from cron every day at 0:30. I directly access ldap, in order to obtain the data for all the users in the specific domain. you can set domain in the ldap query string.

this way it is much faster, then using zmprov.
then the output if filtered through awk, where it obtains the last change date for the password, and send a noptification email if the user has less/equal then 7 days to the password expiration date.


/etc/crontab

30 0 * * * zimbra ldapsearch -w `zmlocalconfig -s zimbra_ldap_password | awk '{print $3}'` -D uid=zimbra,cn=admins,cn=zimbra -x -h YOUR_IP -b ou=people,dc=YOUR_DOMAIN,dc=com "(&(objectclass=posixAccount)(objectclass=sambaSamAccount))" | awk -f /root/scripts/zm_passwordcheck.awk

cat /root/scripts/zm_passwordcheck.awk

BEGIN {OFS=";";

max_age=60

warn_age=53

curtime=systime();

one_day=24 * 60 * 60

mail_msg="/tmp/password_change_notification.msg"

logfile="/tmp/zimbra_password_change.log"

}


/^dn: / {++no}

/zimbraMailDeliveryAddress:/ {email[no]=$2}

/zimbraPasswordModifiedTime:/ {datescalc($2)}

/displayName:/ {name[no]=substr($0,14)}

END{

for (x = 1; x
days_to_change[x]=pass_change_limit[x] - curtime;
if (curtime
status[x]="no need to notify yet";

}else

if (curtime
send_mail()

status[x]="send notification email"

}else

{days_to_change[x]="overdue";

status[x]="too late to notify"}
# unhash for debugging

#status_log()

}

}
function datescalc (field) {

lc_yyyy[no]=substr($2,1,4);

lc_mm[no]=substr($2,5,2);

lc_dd[no]=substr($2,7,2);

lc_epoch[no]=mktime(lc_yyyy[no]" "lc_mm[no]" "lc_dd[no]" 00 00 00")

trigger_date[no]=lc_epoch[no] + warn_age * one_day

pass_change_limit[no]=lc_epoch[no] + max_age * one_day

}
function send_mail(field) {

message[x]="From: Password Change Reminder
"

"User-Agent: Zimbra
"

"MIME-Version: 1.0
"

"To: "name[x]"
"

"Subject: Password change reminder (Automatic notification)

"

"Dear " name[x]",

Your current password will expire on " strftime("%d %B %Y ",pass_change_limit[x])".
"

"When you have a free minute, please login to http://mail.YOUR_DOMAIN.com,
"

"enter your current username and password, and change your password to a new one.

"

"You have "strftime("%-j",days_to_change[x])" day(s) left.


"

"yours,
Administrator"

print message[x] > "/tmp/password_change_notification.msg"

system ("zmlmtpinject -r " email[x] " -s support@YOUR_DOMAIN.com " mail_msg " > /dev/null")

close (mail_msg)

}
function status_log(field) {

print "Action: "status[x] "
Name: "name[x] "
Email: "email[x]

print "LastChangeDate: " strftime("%Y %m %d", lc_epoch[x]) "
LastChangeDateEpoch: " lc_epoch[x]

print "Current time: " strftime("%Y %m %d", curtime) "
Current time epoch: " curtime

print "Trigger time: " strftime("%Y %m %d", trigger_date[x]) "
Trigger time epoch: " trigger_date[x]

print "PassChange Limit: " strftime("%Y %m %d", pass_change_limit[x]) "
PassChange Limit: " pass_change_limit[x]

print "Time till change: " strftime("%-j",days_to_change[x]) "
Time till change epoch: " days_to_change[x]

print "


"

}



comments and suggestions are welcome
2315smaj
Posts: 5
Joined: Sat Sep 13, 2014 1:37 am

password expiry email notification

Post by 2315smaj »

I can't get work this scirpt. I've change ldapsearch command to:

ldapsearch -w `zmlocalconfig -s zimbra_ldap_password | awk '{print $3}'` -D uid=zimbra,cn=admins,cn=zimbra -x -h 192.168.3.101 -b ou=people,dc=engine,dc=pl "(&(objectclass=zimbraAccount)(objectclass=organizationalPerson))
but the awk still returns nothing.
uxbod
Ambassador
Ambassador
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

password expiry email notification

Post by uxbod »

If you copied and pasted that from your CLI did you intend to add the space in the word organizationalPerson ?
2315smaj
Posts: 5
Joined: Sat Sep 13, 2014 1:37 am

password expiry email notification

Post by 2315smaj »

Nope, just type here. In CLI ldapsearh returns users from zimbra but the script returns nothing.
uxbod
Ambassador
Ambassador
Posts: 7811
Joined: Fri Sep 12, 2014 10:21 pm

password expiry email notification

Post by uxbod »

So that single line ldapsearch works ? The post before said the awk line does not work ?
Post Reply