Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 8. Managing expiring password notifications

You can use the Expiring Password Notification (EPN) tool, provided by the ipa-client-epn package, to build a list of Identity Management (IdM) users whose passwords are expiring in a configured amount of time. To install, configure, and use the EPN tool, refer to the relevant sections.

8.1. What is the Expiring Password Notification tool

The Expiring Password Notification (EPN) tool is a standalone tool you can use to build a list of Identity Management (IdM) users whose passwords are expiring in a configured amount of time.

IdM administrators can use EPN to:

  • Display a list of affected users in JSON format, which is created when run in dry-run mode.
  • Calculate how many emails will be sent for a given day or date range.
  • Send password expiration email notifications to users.
  • Configure the ipa-epn.timer to run the EPN tool daily and send an email to users whose passwords are expiring within the defined future date ranges.
  • Customize the email notification to send to users.
Note

If a user account is disabled, no email notifications are sent if the password is going to expire.

8.2. Installing the Expiring Password Notification tool

Follow this procedure to install the Expiring Password Notification (EPN) tool.

Prerequisites

  • Install the EPN tool on either an Identity Management (IdM) replica or an IdM client with a local Postfix SMTP server configured as a smart host.

Procedure

  • Install the EPN tool: 

    # dnf install ipa-client-epn

8.3. Running the EPN tool to send emails to users whose passwords are expiring

You can use the Expiring Password Notification (EPN) tool to send emails to Identity Management {IdM) users whose passwords are expiring. You can choose one of the following methods:

  • Update the epn.conf configuration file and enable the ipa-epn.timer tool.
  • Update the epn.conf configuration file and run the EPN tool directly on the command line.
Note

The EPN tool is stateless. If the EPN tool fails to email any of the users whose passwords are expiring on a given day, the EPN tool does not save a list of those users.

Prerequisites

Procedure

  1. Open the epn.conf configuration file. 

    # vi /etc/ipa/epn.conf

  2. Update the notify_ttls option as required. The default is to notify users whose passwords are expiring in 28, 14, 7, 3, and 1 day(s). 

    notify_ttls = 28, 14, 7, 3, 1
    NOTE
    You must also activate the ipa-epn.timer tool to ensure that emails are sent.

  3. Configure your SMTP server and port: 

    smtp_server = localhost
smtp_port = 25

  4. Specify the email address from which the email expiration notification is sent. Any unsuccessfully delivered emails are returned to this address. 

    mail_from = admin-email@example.com

  5. [Optional] If you want to use an encrypted channel of communication, specify the credentials to be used:

    • Specify the path to a single file in PEM format containing the certificate to be used by EPN to authenticate with the SMTP server: 

      smtp_client_cert = /etc/pki/tls/certs/client.pem
      NOTE
      EPN is an SMTP client. The purpose of the certificate is client authentication, not secure SMTP delivery.

    • You can specify the path to a file that contains the private key. If not specified, the private key is taken from the certificate file. 

      smtp_client_key = /etc/pki/tls/certs/client.key

    • If the private key is encrypted, specify the password for decrypting it. 

      smtp_client_key_pass = Secret123!
  6. Save the /etc/ipa/epn.conf file.

  7. Run the EPN tool in dry-run mode to generate a list of the users to whom the password expiration email notification would be sent if you run the tool without the --dry-run option. 

    ipa-epn --dry-run
[
    {
     "uid": "user5",
     "cn": "user 5",
     "krbpasswordexpiration": "2020-04-17 15:51:53",
     "mail": "['user5@ipa.test']"
    }
]
[
    {
     "uid": "user6",
     "cn": "user 6",
     "krbpasswordexpiration": "2020-12-17 15:51:53",
     "mail": "['user5@ipa.test']"
     }
]
The IPA-EPN command was successful
    Note

    If the list of users returned is very large and you run the tool without the --dry-run option, this might cause an issue with your email server.

  8. Run the EPN tool without the --dry-run option to send expiration emails to the list of all the users returned when you ran the EPN tool in dry-run mode: 

    ipa-epn
[
  {
     "uid": "user5",
     "cn": "user 5",
     "krbpasswordexpiration": "2020-10-01 15:51:53",
     "mail": "['user5@ipa.test']"
  }
]
[
  {
    "uid": "user6",
    "cn": "user 6",
    "krbpasswordexpiration": "2020-12-17 15:51:53",
    "mail": "['user5@ipa.test']"
  }
]
The IPA-EPN command was successful

  9. You can add EPN to any monitoring system and invoke it with the --from-nbdays and --to-nbdays options to determine how many users passwords are going to expire within a specific time frame: 

    # ipa-epn --from-nbdays 8 --to-nbdays 12
    Note

    If you invoke the EPN tool with the --from-nbdays and --to-nbdays options, it is automatically executed in dry-run mode.

Verification

  • Run the EPN tool and verify an email notification is sent.

Additional resources

  • The ipa-epn man page on your system.
  • The epn.conf man page on your system.

8.4. Enabling the ipa-epn.timer to send an email to all users whose passwords are expiring

Follow this procedure to use ipa-epn.timer to run the Expiring Password Notification (EPN) tool to send emails to users whose passwords are expiring. The ipa-epn.timer parses the epn.conf file and sends an email to users whose passwords are expiring within the defined future date ranges configured in that file.

Prerequisites

Procedure

  • Start the ipa-epn.timer: 

    systemctl start ipa-epn.timer

Once you start the timer, by default, the EPN tool is run every day at 1 a.m.

Additional resources

  • The ipa-epn man page on your system.

8.5. Modifying the Expiring Password Notification email template

Follow this procedure to customize the Expiring Password Notification (EPN) email message template.

Prerequisites

  • The ipa-client-epn package is installed.

Procedure

  1. Open the EPN message template: 

    # vi /etc/ipa/epn/expire_msg.template

  2. Update the template text as required. 

    Hi {{ fullname }},

Your password will expire on {{ expiration }}.

Please change it as soon as possible.

    You can use the following variables in the template.

    • User ID: uid
    • Full name: fullname
    • First name: first
    • Last name: last
    • Password expiration date: expiration
  3. Save the message template file.

Verification

  • Run the EPN tool and verify the email notification contains the updated text.

Additional resources

  • See the ipa-epn man page on your system.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.