Comments (9)
  • Add a Comment
  • Edit
  • More Actions v
  • Quarantine this Entry

1 frenger commented Permalink

Hi Brian

 
Is there a way to get this working for LDAP as well?
lsuser -R LDAP would be an easy replacement but the harder part is to replace the /etc/security/passwd information by something like pwdadm -R LDAP -q <username>
I love your scripts :-)
 
Cheers Sebastian</username>

2 frenger commented Permalink

Hi <div>&nbsp;</div> I tried a bit to convert it to a more "ldapish" Version but it seems I get a problem with <br /> while ($user = getpwent()){ <br /> my $u = $user-&gt;name; <br /> because I need to generate the list of users not by perl but by <br /> lsuser -R LDAP -a ALL <br /> How do I get this done? <br /> I replaced <br /> lssec -f /etc/security/passwd -a lastupdate -s $u | awk -F= '{print \$2}' <br /> already with <br /> pwdadm -R LDAP -q $u | awk -F= '{print \$2}' <br /> and this part seems to do the trick but the script only pulls the local users and something else is messed up because all my results looks like this: <br /> adm -15490 Thu Jan 1 01:00:00 1970 Thu Jan 1 01:00:00 1970 0 <br /> ezdoc -15490 Thu Jan 1 01:00:00 1970 Thu Jan 1 01:00:00 1970 0 <br /> sshd -15490 Thu Jan 1 01:00:00 1970 Thu Jan 1 01:00:00 1970 0 <br /> I guess I'm just too awful at perl scripting ;) <br /> Please help me! <br /> Cheers Sebastian

3 brian_s commented Permalink

What does the output of your "pwdadm -R LDAP -q $u | awk -F= '{print \$2}' " return (substiting $u for some LDAP user)?

4 frenger commented Permalink

Hi Brian, <div>&nbsp;</div> <div>&nbsp;</div> root@p1nim1:/tmp/basti# pwdadm -R LDAP -q uvl677q <br /> uvl677q: <br /> lastupdate = 1337817600 <br /> flags = ADMCHG <div>&nbsp;</div> root@p1nim1:/tmp/basti# pwdadm -R LDAP -q mkies0 <br /> mkies0: <br /> lastupdate = 1337904000 <div>&nbsp;</div> root@p1nim1:/tmp/basti# pwdadm -R LDAP -q q918665 <br /> q918665: <br /> lastupdate = 1331683200 <div>&nbsp;</div> Seems like I need an additional grep lastupdate in the command as well. <div>&nbsp;</div> Here the command output with the awk: <div>&nbsp;</div> root@p1nim1:/tmp/basti# pwdadm -R LDAP -q mkies0 | awk -F= '{print $2}' <div>&nbsp;</div> 1337904000 <div>&nbsp;</div> root@p1nim1:/tmp/basti# TEST=$(pwdadm -R LDAP -q mkies0 | awk -F= '{print $2}') <br /> root@p1nim1:/tmp/basti# echo $TEST <br /> 1337904000 <div>&nbsp;</div> and so it shall work: <br /> root@p1nim1:/tmp/basti# TEST=$(pwdadm -R LDAP -q uvl677q | grep lastupdate | awk -F= '{print $2}') <br /> root@p1nim1:/tmp/basti# echo $TEST <br /> 1337817600 <br /> root@p1nim1:/tmp/basti# <div>&nbsp;</div> But I still have no clue how to get the inital Userlist into your perlscript (lsuser -R LDAP -a ALL) <div>&nbsp;</div> Cheers Sebastian

5 brian_s commented Permalink

Something like this should work to get the list of LDAP users: <div>&nbsp;</div> for $u (`lsuser -R LDAP -a ALL`){ <br /> chomp($u); <div>&nbsp;</div> instead of: <div>&nbsp;</div> while ($user = getpwent()){ <br /> my $u = $user-&gt;name;

6 frenger commented Permalink

Hi Brian <div>&nbsp;</div> Thanks for the advice! I had to put $u in my ($user,%userids,$u); as well to get it working (I'm so proud of myself because I solved that issue). <br /> So I guess I have to talk to our LDAP Admin because the output looks strange (I crosschecked the values, your skript does the calculation thing right:) ) <div>&nbsp;</div> <div>&nbsp;</div> s00mv80 -21 Fri May 11 02:00:00 2012 Fri Feb 25 01:00:00 2011 441 <br /> uy3d7s1 -16 Wed May 16 02:00:00 2012 Wed Mar 2 01:00:00 2011 441 <br /> q910018 -15 Thu May 17 02:00:00 2012 Thu Mar 3 01:00:00 2011 441 <br /> q914459 -6 Sat May 26 02:00:00 2012 Sat Mar 12 01:00:00 2011 441 <br /> q909120 1 Sat Jun 2 02:00:00 2012 Sat Mar 19 01:00:00 2011 441 <br /> q909119 1 Sat Jun 2 02:00:00 2012 Sat Mar 19 01:00:00 2011 441 <br /> q910583 21 Fri Jun 22 02:00:00 2012 Fri Apr 8 02:00:00 2011 441 <br /> q913278 26 Wed Jun 27 02:00:00 2012 Wed Apr 13 02:00:00 2011 441 <br /> mk6s56 29 Sat Jun 30 02:00:00 2012 Sat Apr 16 02:00:00 2011 441 <br /> q915197 40 Wed Jul 11 02:00:00 2012 Wed Apr 27 02:00:00 2011 441 <div>&nbsp;</div> It's strange most users have 01:00 or 02:00 AM timestamps on their records. I think the exact tIme of the change is not transferd to the LDAP Server. The second thing ist that our LDAP Admin uses a maxage of 63, I guess he thought the value was in days ^^. <div>&nbsp;</div> Thank you Brian for your help! If you like I can send you the final version that works with LDAP and you can offer them if someone else could use it. <div>&nbsp;</div> Cheers Sebastian

7 brian_s commented Permalink

Yes, please send me the LDAP version and I'll add it to the posting in case anyone else needs it. Thanks!

8 Geoff_Alexander commented Permalink

Brian, Thanks for the script. One thing I found is that it doesn't correctly handle user IDs with no password expiration; that is, users whose maximum password age is 0. For these users, the script displays a red line indicating that the user's password has expired with DaysValid as 0 and DaysLeft as 0 minus the number days since the password was last changed.

9 brian_s commented Permalink

Thanks Geoff. I posted an updated script at https://www.ibm.com/developerworks/community/blogs/brian/entry/updated_script_don_t_let_your_aix_passwords_expire?lang=en that fixes that.