Chapter 34. Managing expiring password notifications
You can use the Expiring Password Notification (EPN) tool, provided by the ipa-client-epn
package, to build a list of Identity Management (IdM) users whose passwords are expiring in a configured amount of time. To install, configure, and use the EPN tool, refer to the relevant sections.
- What is the Expiring Password Notification tool
- Installing the Expiring Password Notification tool
- Running the EPN tool to send emails to users whose passwords are expiring
- Enabling the ipa-epn.timer to send an email to all users whose passwords are expiring
- Modifying the Expiring Password Notification email template
34.1. What is the Expiring Password Notification tool
The Expiring Password Notification (EPN) tool is a standalone tool you can use to build a list of Identity Management (IdM) users whose passwords are expiring in a configured amount of time.
IdM administrators can use EPN to:
- Display a list of affected users in JSON format, which is created when run in dry-run mode.
- Calculate how many emails will be sent for a given day or date range.
- Send password expiration email notifications to users.
-
Configure the
ipa-epn.timer
to run the EPN tool daily and send an email to users whose passwords are expiring within the defined future date ranges. - Customize the email notification to send to users.
If a user account is disabled, no email notifications are sent if the password is going to expire.
34.2. Installing the Expiring Password Notification tool
Follow this procedure to install the Expiring Password Notification (EPN) tool.
Prerequisites
- Install the EPN tool on either an Identity Management (IdM) replica or an IdM client with a local Postfix SMTP server configured as a smart host.
Procedure
Install the EPN tool:
# yum install ipa-client-epn
34.3. Running the EPN tool to send emails to users whose passwords are expiring
Follow this procedure to run the Expiring Password Notification (EPN) tool to send emails to users whose passwords are expiring.
The EPN tool is stateless. If the EPN tool fails to email any of the users whose passwords are expiring on a given day, the EPN tool does not save a list of those users.
Prerequisites
-
The
ipa-client-epn
package is installed. See Installing the Expiring Password Notification tool. -
Customize the
ipa-epn
email template if required. See Modifying the Expiring Password Notification email template.
Procedure
Update the
epn.conf
configuration file to set the options for the EPN tool to notify users of upcoming password expiration.# vi /etc/ipa/epn.conf
Update the
notify_ttls
as required. The default is to notify users whose passwords are expiring in 28, 14, 7, 3, and 1 day(s).notify_ttls = 28, 14, 7, 3, 1
Configure your SMTP server and port:
smtp_server = localhost smtp_port = 25
Specify the email address from which the email expiration notification is sent. Any unsuccessfully delivered emails are returned to this address.
mail_from =admin-email@example.com
-
Save the
/etc/ipa/epn.conf
file. Run the EPN tool in dry-run mode to generate a list of the users to whom the password expiration email notification would be sent if you run the tool without the
--dry-run
option.ipa-epn --dry-run [ { "uid": "user5", "cn": "user 5", "krbpasswordexpiration": "2020-04-17 15:51:53", "mail": "['user5@ipa.test']" } ] [ { "uid": "user6", "cn": "user 6", "krbpasswordexpiration": "2020-12-17 15:51:53", "mail": "['user5@ipa.test']" } ] The IPA-EPN command was successful
NoteIf the list of users returned is very large and you run the tool without the
--dry-run
option, this might cause an issue with your email server.Run the EPN tool without the
--dry-run
option to send expiration emails to the list of all the users returned when you ran the EPN tool in dry-run mode:ipa-epn [ { "uid": "user5", "cn": "user 5", "krbpasswordexpiration": "2020-10-01 15:51:53", "mail": "['user5@ipa.test']" } ] [ { "uid": "user6", "cn": "user 6", "krbpasswordexpiration": "2020-12-17 15:51:53", "mail": "['user5@ipa.test']" } ] The IPA-EPN command was successful
You can add EPN to any monitoring system and invoke it with the
--from-nbdays
and--to-nbdays
options to determine how many users passwords are going to expire within a specific time frame:# ipa-epn --from-nbdays 8 --to-nbdays 12
NoteIf you invoke the EPN tool with the
--from-nbdays
and--to-nbdays
options, it is automatically executed in dry-run mode.
Verification
- Run the EPN tool and verify an email notification is sent.
Additional resources
-
See
ipa-epn
man page. -
See
epn.conf
man page.
34.4. Enabling the ipa-epn.timer to send an email to all users whose passwords are expiring
Follow this procedure to use ipa-epn.timer
to run the Expiring Password Notification (EPN) tool to send emails to users whose passwords are expiring. The ipa-epn.timer
parses the epn.conf
file and sends an email to users whose passwords are expiring within the defined future date ranges configured in that file.
Prerequisites
-
The
ipa-client-epn
package is installed. See Installing the Expiring Password Notification tool -
Customize the
ipa-epn
email template if required. See Modifying the Expiring Password Notification email template
Procedure
Start the
ipa-epn.timer
:systemctl start ipa-epn.timer
Once you start the timer, by default, the EPN tool is run every day at 1 a.m.
Additional resources
-
See the
ipa-epn
man page.
34.5. Modifying the Expiring Password Notification email template
Follow this procedure to customize the Expiring Password Notification (EPN) email message template.
Prerequisites
-
The
ipa-client-epn
package is installed.
Procedure
Open the EPN message template:
# vi /etc/ipa/epn/expire_msg.template
Update the template text as required.
Hi {{ fullname }}, Your password will expire on {{ expiration }}. Please change it as soon as possible.
You can use the following variables in the template.
- User ID: uid
- Full name: fullname
- First name: first
- Last name: last
- Password expiration date: expiration
- Save the message template file.
Verification
- Run the EPN tool and verify the email notification contains the updated text.
Additional resources
-
See the
ipa-epn
man page.