PHP LDAP notify on expiring passwords

Install an configure tacacs+ on Debian 8 – part 1
November 17, 2016
Show all

PHP LDAP notify on expiring passwords

Hello,

Bellow is a script I put together to notify users via e-mail about their domain account password expiration.

The script is set to:

  • notify users when there are 7 or 3 or 1 days left until the password will expire;
  • create ticket via e-mail when there are 7, 3, 1 days left until the password will expire, but there’s no e-mail address set for that account;
  • create ticket via e-mail when password already expired  ( this can be easily changed to “spam” the user). Please note this will basically open a ticket/day until the problem is solved.
  • create ticket via e-mail when password already expired and also there’s no e-mail address set for that account. Please note this will basically open a ticket/day until the problem is solved.

So, basically, the script is composed of 5 files: the main script, handling the data and 4  “e-mail templates”, 1 for each situation described above.

Some problems I encountered while working on this script:

  • You will probably want to exclude from the accounts to be verified the following:
    • guest and administrator accounts
    • service accounts
    • other accounts, which,  for whatever reason, have the password set to never expire.
  • while retrieving the data, you will need to escape [count] from the array generated by ldap_get_entries function. I solved this by using a little function. Others may consider something else.

Prerequisites:

  • you will need a service account set in your AD;
  • a webserver to handle the PHP and PHP Ldap ( I used Debian 8 & Lamp ). For an easy tutorial, please check this link
  • access to the system crontab ( or, if using other OS, a way to schedule the script to run once every day ) . Check this link if you need help understanding the crontab mechanism.

Main script:

I tried to document all steps in the script, however, you can just remove the comments.

Also, make sure you are using a correct base dn, that includes all the user accounts.

E-mail templates:

Case 1: password about to expire, the account has an e-mail address set.

Case 2: Password about to expire, the account has no e-mail address set, opening ticket.

Case 3: Password expired – opening ticket.

Case 4: Password expired and also account has no e-mail address set – opening ticket.

Now, once you have the whole script, upload it to your web server to the directory you usually keep your custom apps/scrips ( e.g /usr/local ).

Now, to have your script run every day at a specific time, make a new entry in crontab. To do that, open a shell to your server with:

and add the following line at the end of the crontab file

The above line will have the script  “/usr/local/ldap_notify/ldap_notify_expire_pass.php” run every day, at 01:10 AM .


Download Files

 

 

Marin Nedea
Marin Nedea
I'm passionate about open source software and technologies. In my spare time I build simple and functional websites from scratch, using PHP+HTML5+CSS3+MySQL and when I'm bored, I write simple PHP_CLI or bash scripts to play around on my Linux machine.

2 Comments

  1. Amie Ritter says:

    Hi there would you mind letting me know which hosting company you’re using?
    I’ve loaded your blog in 3 different browsers and I must say this blog loads a lot quicker then most.

    Can you recommend a good hosting provider at a honest price?

    Cheers, I appreciate it!

Leave a Reply

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close