Tuesday, May 10, 2011

ADAM alert – password is about to expire…..

Depending on our ADAM password policy, the support staff must be informed in advance about the date of password expiration. To accomplish it we need to determine if a user’s
-         Account password is set to expire,
-         When the user last changed their password,
-         The maximum password age in the domain and
-         Current date and time.
As a normal user we can retrieve date and time “when the user last changed their password”.

But normal user may not able to see all the attributes in a particular user object. I feel if ADAM uses the password policy and expiry times same as the domain then the values of above attributes would not be configured in ADAM itself. On the other hand a normal user may not get all information using LDAP browser.

However, if maxPwdAge is fixed for all users, we can complete the script and configured a cron job to send “Password_Expirre_Alart” before a week.

Here we assume maxPwdAge is three month. This script will run five minutes after midnight, every day.
#Crontab -e
5 0 * * * usr/bin/php –f /path/to/script
The script :
#!/usr/bin/php
< ?php
// basic sequence with ADAM is connect, bind, search, interpret search result and close connection

function convert_AD_date($ad_date) {
        if ($ad_date == 0) {
                return '0000-00-00';
        }
        $secsAfterADEpoch = $ad_date / (10000000);
        $AD2Unix=((1970-1601) * 365 - 3 + round((1970-1601)/4) ) * 86400;
        // Why -3 ?
        // "If the year is the last year of a century, eg. 1700, 1800, 1900, 2000,
        // then it is only a leap year if it is exactly divisible by 400.
        // Therefore, 1900 wasn't a leap year but 2000 was."
        $unixTimeStamp=intval($secsAfterADEpoch-$AD2Unix);
        $myDate = date("Y-m-d H:i:s", $unixTimeStamp); // formatted date
        return $myDate;
}
//ADAM query test
//Connecting ...
$ds=ldap_connect("Your ADAM server"); // must be a valid ADAM server!
#echo "connect result is ".$ds." ";
if ($ds) {
//Binding ...
$r=ldap_bind($ds, "CN=(Your's CN), OU=(your's OU), OU=Users, DC=(Your's DC), DC=(your's dc)", "(password)"); 
// this is an "anonymous" bind, typically read-only access
//Searching for (sn=S*) ...
// Search surname entry
$sr=ldap_search($ds,"OU=(OU),OU=Users,DC=(DC),DC=(DC)", "uid=*");
//Getting entries ...
$info = ldap_get_entries($ds, $sr);
for ($i=0; $i<$info["count"]; $i++) {
$dn=$info[$i]["dn"];
$first_cn_entry_is=$info[$i]["cn"][0];
$first_email_entry_is=$info[$i]["mail"][0];
$ad_date=utf8_decode($info[$i]["pwdlastset"][0]);
convert_AD_date("$ad_date");
        $myDate=convert_AD_date("$ad_date");
        $pos=strpos($myDate, " ");
        $firstField=substr($myDate, 0, $pos+1);
        $ExpireDate = strtotime(date("Y-m-d", strtotime($firstField)). "+3 month");
// Calculate the occurance to shoot a mail
        $mail_month = strtotime(date("Y-m-d", strtotime($firstField)). "+2 month");
        $mail_week = strtotime('-3 week', strtotime(date("Y-m-d", $ExpireDate)));
        $mail_day = strtotime('-4 days', strtotime(date("Y-m-d", $ExpireDate)));
        $Month=date("Y-m-d", $mail_month);
        $Week=date("Y-m-d", $mail_week);
        $Days=date("Y-m-d", $mail_day);
// Calculate Expiry date as per password policy
        $Passwd_expire_on=date('l dS \o\f F Y', $ExpireDate);
// Here we'll check validity
        $todayDate = date("Y-m-d");
        $expDate = date("Y-m-d", $ExpireDate);
        $today = strtotime($todayDate);
        $exp_date = strtotime($expDate);
        if ($exp_date < $today) {
        $valid="yes";
        //$valid = "Allready Expired..........";
        } else {
        $valid="no";
        //$valid = "Will Expire on $expDate ";
}
// Send a mail to the user before one month/three weeks and before 4days (three times) expiry date. 
$subject="ADAM password will expired on $Passwd_expire_on";
$message = "Hello  $first_cn_entry_is \n Please use the following link and change your ADAM password before it got expired. \n  (Mention URL to change password)";
$headers = 'From: ADAM_Admin@yourDomain.com' . "\r\n" .
    'Reply-To: ADAM_Admin@yourDomain.com' . "\r\n" .
    'X-Mailer: PHP/' . phpversion();
if ($valid==no && $todayDate == $Month)
         mail($first_email_entry_is, $subject, $message, $headers);
   elseif ($valid==no && $todayDate == $Week)
         mail($first_email_entry_is, $subject, $message, $headers);
   elseif ($valid==no && $todayDate == $Days)
          mail($first_email_entry_is, $subject, $message, $headers);
else
          $ans="\nWill mail latter";
}
//Closing connection
ldap_close($ds);
} else {
//Unable to connect to ADAM server
}
?>

Curtsy:  Many information / logic have taken directly from internet/forum. But the idea is came out from the requirement of my project and accordingly the logic has implemented.

No comments:

Post a Comment