Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
Chapter 7. Managing expiring password notifications
Notify Identity Management (IdM) users about expiring passwords using the Expiring Password Notification (EPN) tool. Configure automated daily emails or run on-demand checks to help users change their passwords before they expire.
7.1. What is the Expiring Password Notification tool
The Expiring Password Notification (EPN) tool identifies Identity Management (IdM) users with expiring passwords and can send automated email notifications, generate reports, or run on a scheduled timer. Use EPN to help users change passwords proactively and avoid account lockouts.
IdM administrators can use EPN to:
- Display a list of affected users in JSON format, which is created when run in dry-run mode.
- Calculate how many emails will be sent for a given day or date range.
- Send password expiration email notifications to users.
-
Configure the
ipa-epn.timerto run the EPN tool daily and send an email to users whose passwords are expiring within the defined future date ranges. - Customize the email notification to send to users.
If a user account is disabled, no email notifications are sent if the password is going to expire.
7.2. Installing the Expiring Password Notification tool
Install the Expiring Password Notification (EPN) tool on an Identity Management (IdM) replica or client to enable password expiration email notifications.
Prerequisites
- Install the EPN tool on either an Identity Management (IdM) replica or an IdM client with a local Postfix SMTP server configured as a smart host.
Procedure
Install the EPN tool:
# dnf install ipa-client-epn
7.3. Running the EPN tool to send emails to users whose passwords are expiring
Configure and run the EPN tool to send password expiration email notifications to Identity Management (IdM) users.
To do this, follow one of the following methods:
-
Update the
epn.confconfiguration file and enable the ipa-epn.timer tool. -
Update the
epn.confconfiguration file and run the EPN tool directly on the command line.
The EPN tool is stateless. If the EPN tool fails to email any of the users whose passwords are expiring on a given day, the EPN tool does not save a list of those users.
Prerequisites
-
The
ipa-client-epnpackage is installed. See Installing the Expiring Password Notification tool. -
Customize the
ipa-epnemail template if required. See Modifying the Expiring Password Notification email template.
Procedure
Open the
epn.confconfiguration file.# vi /etc/ipa/epn.confUpdate the
notify_ttlsoption as required. The default is to notify users whose passwords are expiring in 28, 14, 7, 3, and 1 day(s).notify_ttls = 28, 14, 7, 3, 1NoteYou must also activate the
ipa-epn.timertool to ensure that emails are sent.Configure your SMTP server and port:
smtp_server = localhost smtp_port = 25Specify the email address from which the email expiration notification is sent. Any unsuccessfully delivered emails are returned to this address.
mail_from = admin-email@example.comOptional: If you want to use an encrypted channel of communication, specify the credentials to be used:
Specify the path to a single file in PEM format containing the certificate to be used by EPN to authenticate with the SMTP server:
smtp_client_cert = /etc/pki/tls/certs/client.pemNoteEPN is an SMTP client. The purpose of the certificate is client authentication, not secure SMTP delivery.
You can specify the path to a file that contains the private key. If not specified, the private key is taken from the certificate file.
smtp_client_key = /etc/pki/tls/certs/client.keyIf the private key is encrypted, specify the password for decrypting it.
smtp_client_key_pass = Secret123!
-
Save the
/etc/ipa/epn.conffile. Run the EPN tool in dry-run mode to generate a list of the users to whom the password expiration email notification would be sent if you run the tool without the
--dry-runoption.# ipa-epn --dry-run [ { "uid": "user5", "cn": "user 5", "krbpasswordexpiration": "2020-04-17 15:51:53", "mail": "['user5@ipa.test']" } ] [ { "uid": "user6", "cn": "user 6", "krbpasswordexpiration": "2020-12-17 15:51:53", "mail": "['user5@ipa.test']" } ] The IPA-EPN command was successfulNoteIf the list of users returned is very large and you run the tool without the
--dry-runoption, this might cause an issue with your email server.Run the EPN tool without the
--dry-runoption to send expiration emails to the list of all the users returned when you ran the EPN tool in dry-run mode:# ipa-epn [ { "uid": "user5", "cn": "user 5", "krbpasswordexpiration": "2020-10-01 15:51:53", "mail": "['user5@ipa.test']" } ] [ { "uid": "user6", "cn": "user 6", "krbpasswordexpiration": "2020-12-17 15:51:53", "mail": "['user5@ipa.test']" } ] The IPA-EPN command was successfulYou can add EPN to any monitoring system and invoke it with the
--from-nbdaysand--to-nbdaysoptions to determine how many users passwords are going to expire within a specific time frame:# ipa-epn --from-nbdays 8 --to-nbdays 12NoteIf you invoke the EPN tool with the
--from-nbdaysand--to-nbdaysoptions, it is automatically executed in dry-run mode.
Verification
- Run the EPN tool and verify an email notification is sent.
7.4. Enabling the ipa-epn.timer to send an email to all users whose passwords are expiring
Enable the ipa-epn.timer to automatically run the EPN tool daily and send password expiration notifications.
The ipa-epn.timer parses the epn.conf file and sends an email to users whose passwords are expiring within the defined future date ranges configured in that file.
Prerequisites
-
The
ipa-client-epnpackage is installed. See Installing the Expiring Password Notification tool -
Customize the
ipa-epnemail template if required. See Modifying the Expiring Password Notification email template
Procedure
Start the
ipa-epn.timer:# systemctl start ipa-epn.timerOnce you start the timer, by default, the EPN tool is run every day at 1 a.m.
7.5. Modifying the Expiring Password Notification email template
Customize the EPN email template to change the message content and formatting. You can include user information such as name, ID, and password expiration date.
Prerequisites
-
The
ipa-client-epnpackage is installed.
Procedure
Open the EPN message template:
# vi /etc/ipa/epn/expire_msg.templateUpdate the template text as required.
Hi {{ fullname }}, Your password will expire on {{ expiration }}. Please change it as soon as possible.You can use the following variables in the template.
- User ID: uid
- Full name: fullname
- First name: first
- Last name: last
- Password expiration date: expiration
- Save the message template file.
Verification
- Run the EPN tool and verify the email notification contains the updated text.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}