What does this program do?
pwMonitor sends reminder messages to users as their password nears expiration. When coupled with OSXPass, the user can be sent an email reminder that includes a URL to change their password. An optional password report is also available, showing the current password aging.
How does it work?
As of 10.4, there is no way to find out how old a user's password is from the Password Server. So what do we do instead? We must scan the Password Server's log files ourselves, recording the logged password changes in our own database, and then, at our convenience, determine how old a user's password is.
Every day, normally as close to just after midnight as possible, the pwMonitor script
scans the logs looking for password changes made the previous day. The aging of each user's
is then computed using
Any users who reach the set number of days before expiration are then sent an email message. This is
handled by first creating the necessary headers, and then adding the text in the file
Finally, an optional password report is sent out. This time, the headers are based on the file
There are a minimum of two files that must edited. In pwMonitor.py, a number of variables must be set to the appropriate domain, email addresses, and password timing:
While testing the script you may want to add execute permissions for the script file with
If you will be emailing out reports, you must also edit the reportMsgHeader.txt file to contain the recipients who will be receiving the reports, as well as setting kSendReports to True.
The script will need to run once every day. On Tiger, launchd could be used for this. But for
Tiger & Panther servers this can be done by adding a cron entry for the root user that would look
something like the one below:
To allow browser based password changes, you'll also want to set up OSXPass. Then provide a link to this service in your reminder message (reminderMsgBody.txt) to provide a complete package.
What are the requirements for this program?
This program has been tested on Mac OS Server 10.4.2-5, with some testing done on 10.3.9.
The password server must be running on the same system as the script. To email reports Postfix must be configured sufficiently to allow email to be sent. It is possible that reminders may rarely be sent out too soon due to limitations in how dates are calculated.
Download pwMonitor.py and its message files