Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 7. Managing expiring password notifications

You can use the Expiring Password Notification (EPN) tool, provided by the ipa-client-epn package, to build a list of Identity Management (IdM) users whose passwords are expiring in a configured amount of time. To install, configure, and use the EPN tool, refer to the relevant sections.

7.1. What is the Expiring Password Notification tool
Copiar o link

The Expiring Password Notification (EPN) tool is a standalone tool you can use to build a list of Identity Management (IdM) users whose passwords are expiring in a configured amount of time.

IdM administrators can use EPN to:

  • Display a list of affected users in JSON format, which is created when run in dry-run mode.
  • Calculate how many emails will be sent for a given day or date range.
  • Send password expiration email notifications to users.
  • Configure the ipa-epn.timer to run the EPN tool daily and send an email to users whose passwords are expiring within the defined future date ranges.
  • Customize the email notification to send to users.
Note

If a user account is disabled, no email notifications are sent if the password is going to expire.

7.2. Installing the Expiring Password Notification tool
Copiar o link

Follow this procedure to install the Expiring Password Notification (EPN) tool.

Prerequisites

  • Install the EPN tool on either an Identity Management (IdM) replica or an IdM client with a local Postfix SMTP server configured as a smart host.

Procedure

  • Install the EPN tool: 

    # dnf install ipa-client-epn
    Copy to Clipboard Toggle word wrap

7.3. Running the EPN tool to send emails to users whose passwords are expiring
Copiar o link

You can use the Expiring Password Notification (EPN) tool to send emails to Identity Management (IdM) users whose passwords are expiring. You can choose one of the following methods:

  • Update the epn.conf configuration file and enable the ipa-epn.timer tool.
  • Update the epn.conf configuration file and run the EPN tool directly on the command line.
Note

The EPN tool is stateless. If the EPN tool fails to email any of the users whose passwords are expiring on a given day, the EPN tool does not save a list of those users.

Prerequisites

Procedure

  1. Open the epn.conf configuration file. 

    # vi /etc/ipa/epn.conf
    Copy to Clipboard Toggle word wrap

  2. Update the notify_ttls option as required. The default is to notify users whose passwords are expiring in 28, 14, 7, 3, and 1 day(s). 

    notify_ttls = 28, 14, 7, 3, 1
    Copy to Clipboard Toggle word wrap
    Note

    You must also activate the ipa-epn.timer tool to ensure that emails are sent.

  3. Configure your SMTP server and port: 

    smtp_server = localhost
smtp_port = 25
    Copy to Clipboard Toggle word wrap

  4. Specify the email address from which the email expiration notification is sent. Any unsuccessfully delivered emails are returned to this address. 

    mail_from = admin-email@example.com
    Copy to Clipboard Toggle word wrap

  5. Optional: If you want to use an encrypted channel of communication, specify the credentials to be used:

    • Specify the path to a single file in PEM format containing the certificate to be used by EPN to authenticate with the SMTP server: 

      smtp_client_cert = /etc/pki/tls/certs/client.pem
      Copy to Clipboard Toggle word wrap
      Note

      EPN is an SMTP client. The purpose of the certificate is client authentication, not secure SMTP delivery.

    • You can specify the path to a file that contains the private key. If not specified, the private key is taken from the certificate file. 

      smtp_client_key = /etc/pki/tls/certs/client.key
      Copy to Clipboard Toggle word wrap

    • If the private key is encrypted, specify the password for decrypting it. 

      smtp_client_key_pass = Secret123!
      Copy to Clipboard Toggle word wrap
  6. Save the /etc/ipa/epn.conf file.

  7. Run the EPN tool in dry-run mode to generate a list of the users to whom the password expiration email notification would be sent if you run the tool without the --dry-run option. 

    # ipa-epn --dry-run
[
    {
     "uid": "user5",
     "cn": "user 5",
     "krbpasswordexpiration": "2020-04-17 15:51:53",
     "mail": "['user5@ipa.test']"
    }
]
[
    {
     "uid": "user6",
     "cn": "user 6",
     "krbpasswordexpiration": "2020-12-17 15:51:53",
     "mail": "['user5@ipa.test']"
     }
]
The IPA-EPN command was successful
    Copy to Clipboard Toggle word wrap
    Note

    If the list of users returned is very large and you run the tool without the --dry-run option, this might cause an issue with your email server.

  8. Run the EPN tool without the --dry-run option to send expiration emails to the list of all the users returned when you ran the EPN tool in dry-run mode: 

    # ipa-epn
[
  {
     "uid": "user5",
     "cn": "user 5",
     "krbpasswordexpiration": "2020-10-01 15:51:53",
     "mail": "['user5@ipa.test']"
  }
]
[
  {
    "uid": "user6",
    "cn": "user 6",
    "krbpasswordexpiration": "2020-12-17 15:51:53",
    "mail": "['user5@ipa.test']"
  }
]
The IPA-EPN command was successful
    Copy to Clipboard Toggle word wrap

  9. You can add EPN to any monitoring system and invoke it with the --from-nbdays and --to-nbdays options to determine how many users passwords are going to expire within a specific time frame: 

    # ipa-epn --from-nbdays 8 --to-nbdays 12
    Copy to Clipboard Toggle word wrap
    Note

    If you invoke the EPN tool with the --from-nbdays and --to-nbdays options, it is automatically executed in dry-run mode.

Verification

  • Run the EPN tool and verify an email notification is sent.

Follow this procedure to use ipa-epn.timer to run the Expiring Password Notification (EPN) tool to send emails to users whose passwords are expiring. The ipa-epn.timer parses the epn.conf file and sends an email to users whose passwords are expiring within the defined future date ranges configured in that file.

Prerequisites

Procedure

  • Start the ipa-epn.timer: 

    # systemctl start ipa-epn.timer
    Copy to Clipboard Toggle word wrap

    Once you start the timer, by default, the EPN tool is run every day at 1 a.m.

7.5. Modifying the Expiring Password Notification email template
Copiar o link

Follow this procedure to customize the Expiring Password Notification (EPN) email message template.

Prerequisites

  • The ipa-client-epn package is installed.

Procedure

  1. Open the EPN message template: 

    # vi /etc/ipa/epn/expire_msg.template
    Copy to Clipboard Toggle word wrap

  2. Update the template text as required. 

    Hi {{ fullname }},

Your password will expire on {{ expiration }}.

Please change it as soon as possible.
    Copy to Clipboard Toggle word wrap

    You can use the following variables in the template.

    • User ID: uid
    • Full name: fullname
    • First name: first
    • Last name: last
    • Password expiration date: expiration
  3. Save the message template file.

Verification

  • Run the EPN tool and verify the email notification contains the updated text.
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat