I have authentication for Linux, Macs and Windows hanging off of an Apple OS X Server via open directory. I want to expire passwords for my users every 180 days, which is set up and works fine. The trouble is that non-Mac clients, especially Linux users, have no indication that their password is about to expire until they come in one day and their password just fails to work without any enlightening error message.
So I'd like to script the machine such that users get a warning via email a couple days in advance of their password expiring, and then another the day of the expiration. However, the OD LDAP database doesn't appear to have the information stored in it, nor does the output of mkpassdb -dump. Does anyone know how to get that information out of OD in a scriptable way, or otherwise warn Linux users of their passwords' imminent expiration?
Best Answer
We had the exact same problem. I ended up writing a perl script to send the password warning.
Essentially you need to use
/usr/bin/pwpolicy -getglobalpolicyand compare themaxMinutesUntilChangePasswordline against/usr/sbin/mkpassdb -dump <user slot>and theLast password changeline. You can get a user's slot from the third field in theauthAuthorityattribute in LDAP.Then some simple calculation to compare the last password change time against the maximum age, and send an email to the user if the password is near expiry.
Edit: On Tiger,
mkpassdbdoes not accept a user slot as an argument. Instead, you can look up the password change time in the kerberos database usingkadmin.local -q 'getprinc user@DOMAIN.COM'. You can also retrieve the exact name of the user principal from LDAP.