7.3. Running the EPN tool to send emails to users whose passwords are expiring

Procedure

1. Open the epn.conf configuration file.

   # vi /etc/ipa/epn.conf

2. Update the notify_ttls option as required. The default is to notify users whose passwords are expiring in 28, 14, 7, 3, and 1 day(s).

   notify_ttls = 28, 14, 7, 3, 1

   注意

   You must also activate the ipa-epn.timer tool to ensure that emails are sent.

3. Configure your SMTP server and port:

   smtp_server = localhost
   smtp_port = 25

4. Specify the email address from which the email expiration notification is sent. Any unsuccessfully delivered emails are returned to this address.

   mail_from = admin-email@example.com

5. Optional: If you want to use an encrypted channel of communication, specify the credentials to be used:

   • Specify the path to a single file in PEM format containing the certificate to be used by EPN to authenticate with the SMTP server:

     smtp_client_cert = /etc/pki/tls/certs/client.pem

     注意

     EPN is an SMTP client. The purpose of the certificate is client authentication, not secure SMTP delivery.

   • You can specify the path to a file that contains the private key. If not specified, the private key is taken from the certificate file.

     smtp_client_key = /etc/pki/tls/certs/client.key

   • If the private key is encrypted, specify the password for decrypting it.

     smtp_client_key_pass = Secret123!

6. Save the /etc/ipa/epn.conf file.

7. Run the EPN tool in dry-run mode to generate a list of the users to whom the password expiration email notification would be sent if you run the tool without the --dry-run option.

   # ipa-epn --dry-run
   [
       {
        "uid": "user5",
        "cn": "user 5",
        "krbpasswordexpiration": "2020-04-17 15:51:53",
        "mail": "['user5@ipa.test']"
       }
   ]
   [
       {
        "uid": "user6",
        "cn": "user 6",
        "krbpasswordexpiration": "2020-12-17 15:51:53",
        "mail": "['user5@ipa.test']"
        }
   ]
   The IPA-EPN command was successful

   注意

   If the list of users returned is very large and you run the tool without the --dry-run option, this might cause an issue with your email server.

8. Run the EPN tool without the --dry-run option to send expiration emails to the list of all the users returned when you ran the EPN tool in dry-run mode:

   # ipa-epn
   [
     {
        "uid": "user5",
        "cn": "user 5",
        "krbpasswordexpiration": "2020-10-01 15:51:53",
        "mail": "['user5@ipa.test']"
     }
   ]
   [
     {
       "uid": "user6",
       "cn": "user 6",
       "krbpasswordexpiration": "2020-12-17 15:51:53",
       "mail": "['user5@ipa.test']"
     }
   ]
   The IPA-EPN command was successful

9. You can add EPN to any monitoring system and invoke it with the --from-nbdays and --to-nbdays options to determine how many users passwords are going to expire within a specific time frame:

   # ipa-epn --from-nbdays 8 --to-nbdays 12

   注意

   If you invoke the EPN tool with the --from-nbdays and --to-nbdays options, it is automatically executed in dry-run mode.