forked from beckf/ad-password-expire-notify
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcheck_expire.php
executable file
·197 lines (155 loc) · 6.74 KB
/
check_expire.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
<?php
// Provided AS IS under the GNU license located at: http://www.gnu.org/licenses/gpl.txt
// To use the script.
// Set the variables below, then execute the script with the users OU as an argument.
// Example: /path/to/scriptdir/check_expire.php -ou "CN=People, DC=Domain, DC=org"
// After setting the options below, be sure to update the two email templates included
// to include your company logo and instructions for the end-user.
// Some variables will need to be set first.
// Full path to this script.
$scriptPath = "/usr/local/pwdexpire/";
// A regular user to bind to AD. Use the upn format.
$ldapupn = "[email protected]";
// That users password
$ldappass = "password";
// To make a connection to the domain controller over SSL use ldaps:// instead of ldap://
$ldaphost = "ldap://dc.sub.domain.tld/";
// How many days out to start warning the user.
$warndays = "15";
// From email header on end-user notifications.
$useremailheader = "MIME-Version: 1.0" . "\r\n";
$useremailheader .= "Content-type:text/html;charset=UTF-8" . "\r\n";
$useremailheader .= "From: IT Support <[email protected]>" . "\r\n";
// Email alias for administrators. This email will get a listing of the users that are expiring.
$adminemailto = "[email protected]";
// From email header on admin notifications.
$adminemailheader = "MIME-Version: 1.0" . "\r\n";
$adminemailheader .= "Content-type:text/html;charset=UTF-8" . "\r\n";
$adminemailheader .= "From: IT Support <[email protected]>" . "\r\n";
// Debugging Options
// 1 is Enabled, 0 is Disabled
// When debug is enabled, no emails will be sent to the users.
$debug = "0";
// End Options - Begin Workflow
// Default variables
$listforadmin = "";
$filter = "(&(objectCategory=Person)(objectClass=User))";
$attrib = array("sn", "givenname", "cn", "sAMAccountName", "msDS-UserPasswordExpiryTimeComputed", "mail");
//Check that the proper command line arguments have been passed to the script.
$argumentOU = getopt("o:");
if ($argumentOU) {
echo("Checking for expired passwords in OU: {$argumentOU['o']}\n");
$dn = $argumentOU['o'];
}else{
echo("You must specify an LDAP OU in the arguments passed to this script. Example: /path/to/scriptdir/scriptname.php -o \"CN=Users, DC=Domain, DC=org\" ");
exit;
}
// Get current time
$now = time();
$currentdatehuman = date("m-d-Y", "$now");
/*
AD date values. Offset is approximate 10millionths of a second from
1/1/1601 to 1/1/1970 (Epoch). MS stores the time as number of 100 nanoseconds
since 1/1/1601. Since we get epoch from now(), we need to add the difference.
*/
$offset = 116444736000000000;
$oneday = 864000000000;
$daystowarn = $oneday * $warndays;
//Set current date in large int as AD does
$dateasadint = ($now * 10000000) + $offset;
// Set search value for todays date plus warning time.
$warndatethresh = $dateasadint + $daystowarn;
echo "Current Date: $currentdatehuman\n";
echo "Now in Epoch: $now \n";
echo "Using number days to warn: $warndays\n";
// Connect to LDAP
echo "Beginning LDAP search...\n";
$ldapconn = ldap_connect($ldaphost)
or die("Could not connect to {$ldaphost}.\n");
if ($ldapconn) {
echo "LDAP connected, attempting bind.\n";
// Bind to LDAP.
$ldapbind = ldap_bind($ldapconn, $ldapupn, $ldappass);
// Verify LDAP connected.
if ($ldapbind) {
echo "LDAP bind successful.\n";
} else {
echo "LDAP bind failed.\n";
}
}
// Search LDAP using filter, get the entries, and set count.
$search = ldap_search($ldapconn, $dn, $filter, $attrib, 0, 0)
or die ("Could not search LDAP server.\n");
$dsarray = ldap_get_entries($ldapconn, $search);
$count = $dsarray["count"];
echo "$count Entries found.\n";
for($i = 0; $i < $count; $i++) {
// Converts large int from AD to epoch then to human readable format
$timeepoch = ($dsarray[$i]['msds-userpasswordexpirytimecomputed'][0] - 116444736000000000) / 10000000;
$timetemp = split( "[.]" ,$timeepoch, 2);
$timehuman = date("m-d-Y H:i:s", "$timetemp[0]");
echo "Name: {$dsarray[$i]['cn'][0]} \t\t Date: $timehuman \t{$dsarray[$i]['dn']}\n";
// Check to see if password expiration is within our warning time limit.
if ($dsarray[$i]['msds-userpasswordexpirytimecomputed'][0] <= $warndatethresh && $dsarray[$i]['msds-userpasswordexpirytimecomputed'][0] >= $dateasadint) {
$listforadmin .= "{$dsarray[$i]['samaccountname'][0]} expires at $timehuman\r\n";
print "WARNING! Password will expire.\n";
echo "Sending email to {$dsarray[$i]['cn'][0]} at address {$dsarray[$i]['mail'][0]} \n";
//If debug is enabled, then send all emails to admin
if($debug=="0") {
//If mail is defined in LDAP use mail, if not send to admin email.
if($dsarray[$i]['mail'][0]) {
$userto = "{$dsarray[$i]['mail'][0]}";
} else {
$userto = $adminemailto;
}
$usersubject = "Password for {$dsarray[$i]['samaccountname'][0]} will expire soon!";
// Warning Email
// Get the email from a template in the same directory as this script.
if(file_exists($scriptPath . "user_email.tpl")) {
$userbody = file_get_contents($scriptPath . "user_email.tpl");
$userbody = str_replace("__DISPLAYNAME__", $dsarray[$i]['cn'][0], $userbody);
$userbody = str_replace("__SAMACCOUNTNAME__", $dsarray[$i]['samaccountname'][0], $userbody);
$userbody = str_replace("__EXPIRETIME__", $timehuman, $userbody);
}
// Send the email to the user.
if (mail($userto, $usersubject, $userbody, $useremailheader)) {
echo("User email successfully sent.\n");
} else {
echo("User email delivery failed.\n");
}
//End If Debug
}
//End check for expiration within warning time limit.
}
//Unset some variables before continuing the loop.
unset($timeepoch);
unset($timetemp);
unset($timehuman);
unset($userto);
unset($usersubject);
unset($userbody);
//End for loop for each entry in LDAP.
}
//Send email of users to admin.
if ($listforadmin) {
$adminsubject = "List of Expired Passwords";
if(file_exists($scriptPath . "admin_email.tpl")) {
$adminbody = file_get_contents($scriptPath . "admin_email.tpl");
$adminbody = str_replace("__CURRENTDATE__", $currentdatehuman, $adminbody);
$adminbody = str_replace("__USERLIST__", $listforadmin, $adminbody);
$adminbody = str_replace("__USEROU__", $argumentOU['o'], $adminbody);
}
if (mail($adminemailto, $adminsubject, $adminbody, $adminemailheader)) {
echo("Admin email successfully sent.\n");
} else {
echo("Admin email delivery failed.\n");
}
}
// Unbind and Disconnect from Server
$unbind = ldap_unbind($ldapconn);
if ($unbind) {
echo "LDAP successfully unbound.\n";
} else {
echo "LDAP not unbound.\n";
}
?>