FreeIPA password expriation and locked user notifier
Project description
FreeIPA Notification
Notify IPA Users for password expiration and locked users to admin
Required packages:
- krb5-devel
- python3-pip
- python3-virtualenv (Optional)
-
Create a new role for notifier
ipa role-add --desc "Notification agent role" "Notification Agent"
-
Add privileges to the role
ipa role-add-privilege "Notification Agent" --privileges="User Administrators" ipa role-add-privilege "Notification Agent" --privileges="Group Administrators" ipa role-add-privilege "Notification Agent" --privileges="Password Policy Readers"
-
Create a new service and assign the role to this service
ipa service-add NOTIFY/ipa1.example.com ipa role-add-member "Notification Agent" --services="NOTIFY/ipa1.example.com@EXAMPLE.COM" ipa service-allow-retrieve-keytab "NOTIFY/ipa1.example.com@EXAMPLE.COM" --hosts=ipa1.example.com
-
Obtain a keytab with fix permissions
ipa-getkeytab -s ipa1.example.com -p "NOTIFY/ipa1.example.com@EXAMPLE.COM" -k ~/.priv/notify.keytab chmod -R 600 ~/.priv
-
(Optional) Create a new virtual env and activate it
mkdir /opt/ipa-notify virtualenv -p python3 /opt/ipa-notify/venv source /opt/ipa-notify/venv/bin/activate
-
Install this package:
pip3 install ipa-notify
-
Run the command in
noopmode for a successful user listing/opt/ipa-notify/bin/ipa-notify --server ipa1.example.com -p "NOTIFY/ipa1.example.com@EXAMPLE.COM" -k ~/.priv/notify.keytab \ --limit 10 --groups users --check-expiration --noop
-
Create a script includes the command with your parameters with proper permissions under
/usr/local/sbin/ -
Add a crontab entry. For example
0 0 * * * root /usr/local/sbin/ipa_notify.sh &>> /var/log/ipa_notify.log -
(Optional) You can create an email template folder and overwrite the message content. You can change the content but do not change file names or variable names. Template should start with
Subject:keyword and there has to be new line between the subject and body. Please test your template before using.
$ python3 -c 'import ipa_notify;print(ipa_notify.__file__)'
/usr/local/lib/python3.6/site-packages/ipa_notify/__init__.py
$ cp -r /usr/local/lib/python3.6/site-packages/ipa_notify/templates ./mytemplates
# edit the content
$ ipa-notify ... --templates ./mytemplates
Parameters:
$ ipa-notify --help
usage: ipa-notify [-h] [--server SERVER] [--verify-ssl] [--no-verify-ssl] [--principal PRINCIPAL] [--keytab KEYTAB] [--groups GROUPS [GROUPS ...]] [--limit LIMIT] [--smtp-host SMTP_HOST] [--smtp-port SMTP_PORT]
[--smtp-security {none,STARTTLS,SSL}] [--smtp-user SMTP_USER] [--smtp-pass SMTP_PASS] [--smtp-from SMTP_FROM] [--admin ADMIN] [--noop] [--check-expiration] [--check-locked] [--templates TEMPLATES]
[--log-level {CRITICAL,FATAL,ERROR,WARN,WARNING,INFO,DEBUG,NOTSET}]
IPA Notifier
optional arguments:
-h, --help show this help message and exit
--server SERVER ipa server fqdn (default: ipa.domain.com)
--verify-ssl verify ipa connection SSL cert (default) (default: True)
--no-verify-ssl do not verify ipa connection SSL cert (default: True)
--principal PRINCIPAL
user principal for kerberos authentication (default: admin@DOMAIN.COM)
--keytab KEYTAB keytab path (default: /tmp/user.kt)
--groups GROUPS [GROUPS ...]
list of user groups to check (default: ['users'])
--limit LIMIT number of days before notifying a user (default: 5)
--smtp-host SMTP_HOST
smtp host for sending email (default: localhost)
--smtp-port SMTP_PORT
smtp port for sending email (default: 465)
--smtp-security {none,STARTTLS,SSL}
smtp port for sending email (default: SSL)
--smtp-user SMTP_USER
smtp user login (default: smtp_user)
--smtp-pass SMTP_PASS
smtp user password (default: smtp_pass)
--smtp-from SMTP_FROM
smtp from email address (default: noreply@domain.com)
--admin ADMIN admin user email to notify about locked users (default: admin@domain.com)
--noop no operation mode. Do not send emails (default: False)
--check-expiration Check password expirations for users (default: False)
--check-locked Check locked out users (default: False)
--templates TEMPLATES
Custom email template folder (default: )
--log-level {CRITICAL,FATAL,ERROR,WARN,WARNING,INFO,DEBUG,NOTSET}
log level (default: INFO)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file ipa-notify-0.3.9.tar.gz.
File metadata
- Download URL: ipa-notify-0.3.9.tar.gz
- Upload date:
- Size: 10.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.1 importlib_metadata/3.10.1 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.9.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 7db67238d21eb2be0e0ade47664f5084b63e19d5693559fc6cf2d68eacff90c4 |
|
| MD5 | c48aed69e4f83f0559541d6f1cb514c3 |
|
| BLAKE2b-256 | ae83e1549f98f1bc1848ca8e0fc650b59d8c6cf9c8986e5b106630a8ed2683c2 |
File details
Details for the file ipa_notify-0.3.9-py3-none-any.whl.
File metadata
- Download URL: ipa_notify-0.3.9-py3-none-any.whl
- Upload date:
- Size: 15.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.4.1 importlib_metadata/3.10.1 pkginfo/1.7.0 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.60.0 CPython/3.9.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 8bc25b219fef3f7d727cf5e47fe66bbfb5230feb9f785a709e599887252d2e10 |
|
| MD5 | 240e679c849fb8dff5d682fef993e633 |
|
| BLAKE2b-256 | e6fff22b3a99703823edd73738edcd722369b8e6e1ab145c9468406554585eec |
