Updates for packages

roles/Password/package/ldap-userreport

@@ -1,54 +1,95 @@
 #!/bin/bash
 
-hostname=`hostname`
-errortext="ERROR:NEVER"
-arg="$1"
-
-function shortshow() {
-    echo ${user}": "$email
+function getLDAPAttr() {
+    ### Get an LDAP attribute
+    # param: filter
+    # param attribute
+    filter="${1}"
+    attribute="${2}"
+    ldapsearch -x "${filter}" "${attribute}" | grep -E "^${attribute}: " | sed "s/${attribute}: //"
 }
 
-basedn=`ldapsearch -x '(cn=root)' dn | grep -E ^dn:\  | sed 's/dn: cn=root,//'`
+# Clear cleanup files
+ldif="/root/cleanup.ldif"
+>"${ldif}"
+bash="/root/cleanup.bash"
+echo "#!/bin/bash" > "${bash}"
 
-for user in `ldapsearch -x -b "ou=People,$basedn" '(uid=*)' uid | grep -E ^uid:\  | sed 's/^uid: //'`; do
+# Attributes
+basedn=`getLDAPAttr '(cn=root)' dn | sed 's/cn=root,//'`
+pwdMaxAge=`getLDAPAttr '(&(cn=default)(objectClass=pwdPolicy))' pwdMaxAge`
+warning=`getLDAPAttr '(&(cn=default)(objectClass=pwdPolicy))' pwdExpireWarning`
+pwdWarnAge=$(( $pwdMaxAge - $warning ))
+unset EXPIRED EXPIRING OK PENDING
+
+### Check all users
+for user in `ldapsearch -x -b "ou=People,$basedn" uid | grep -E ^uid:\  | sed 's/^uid: //'`; do
 
     # Pull changed stats
     lastChanged=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep pwdChangedTime | cut -f 2 -d ' '`
-    created=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep createTimestamp | cut -f 2 -d ' '`
-    email=`/usr/sbin/ldapsearch -x "(uid=$user)" | grep mail | cut -f 2 -d ' '`
+    # created=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep createTimestamp | cut -f 2 -d ' '`
+    # email=`/usr/sbin/ldapsearch -x "(uid=$user)" | grep mail | cut -f 2 -d ' '`
 
+    # If user has PENDING changed, report
     if [ -z "$lastChanged" ]; then
-        lastChanged="$errortext";
+        if [ -z "${PENDING}" ]; then
+            PENDING="${user}"
+        else
+            PENDING="${PENDING},${user}"
+        fi
+
     else
         delta="$(( `date +%s` - `date -d $(echo $lastChanged | head -c 8)  +%s`))"
-    fi
-    lastlog=`lastlog -u $user | tail -n 1`
-    if [ `echo $lastlog | grep -c 'Never logged in'` -gt 0 ]; then
-        lastlog=$errortext
-    else
-        lastlog=`echo $lastlog | awk '{$1="";$2="";$3="";print $0 }'`
-    fi
-    printf "User $user (email: $email, created: $created) last changed their password on $lastChanged. They last logged in to SSH on $hostname on $lastlog\n" | (
-    case "$arg" in
-        "--inactive")
-            if grep -E $errortext'$' &> /dev/null; then shortshow; fi
-            ;;
-        "--needschange")
-            if [ "$lastChanged" == "$errortext" ]; then
-                shortshow
+
+        # Report if user is expired
+        if [ $delta -gt $pwdMaxAge ]; then
+            if [ -z "${EXPIRED}" ]; then
+                EXPIRED="${user}"
             else
-                if [ $delta -gt 28512000 ] && [ $delta -lt 31536000 ]; then shortshow; fi
+                EXPIRED="${EXPIRED},${user}"
             fi
-            ;;
-        "--expired")
-            if [ "$lastChanged" != "$errortext" ] && [ "$delta" -ge 31536000 ]; then
-                shortshow;
+            printf "dn: uid=${user},ou=People,${basedn}\nchangetype: delete\n\n" >> "${ldif}"
+            printf "rm -Rf `getent passwd "${user}" | cut -f 6 -d ':'`\n" >> "${bash}"
+
+        # Report if the user is expiring and needs to update their password.
+        elif [ $delta -gt $pwdWarnAge ] && [ $delta -le $pwdMaxAge ]; then
+            if [ -z "${EXPIRING}" ]; then
+                EXPIRING="${user}"
+            else
+                EXPIRING="${EXPIRING},${user}"
             fi
-            ;;
-        *)
-            cat
-            ;;
-    esac
-    )
+
+        # Record the user account is OK.
+        else
+            if [ -z "${OK}" ]; then
+                OK="${user}"
+            else
+                OK="${OK},${user}"
+            fi
+        fi
+    fi
 
 done
+
+### Results
+# Should always have OK users in the tree.
+echo "OK: ${OK}"
+
+# Report when there are users that have not changed their password.
+# This may be normal, such as for new user accounts, and may not drive action.
+if [ -n "$PENDING" ]; then
+    echo "PENDING: ${PENDING}"
+fi
+
+# Report when users are expiring -- give them several notices to fix it.
+if [ -n "${EXPIRING}" ]; then
+    echo "EXPIRING: ${EXPIRING}"
+    ravensend -c "#tech" -m "The following users are expiring: ${EXPIRING}"
+fi
+
+# Report users that have expired. These users should be contacted or removed.
+if [ -n "${EXPIRED}" ]; then
+    echo "EXPIRED: ${EXPIRED}"
+    echo "Expired users can be cleaned up with ${ldif} and ${bash}"
+    ravensend -c "#sharingan" -m 'Users have expired and need attention.'
+fi