pwMonitor sends reminder messages to users as their password nears expiration. When coupled with OSXPass, the user can be sent an email reminder that includes a URL to change their password. An optional password report is also available, showing the current password aging.

How does it work?

As of 10.4, there is no way to find out how old a user's password is from the Password Server. So what do we do instead? We must scan the Password Server's log files ourselves, recording the logged password changes in our own database, and then, at our convenience, determine how old a user's password is.

Every day, normally as close to just after midnight as possible, the pwMonitor script scans the logs looking for password changes made the previous day. The aging of each user's is then computed using kDaysBeforeExpiration to find any users who are nearing expiration. If a user's password is at either kFirstWarningDays or kSecondWarningDays days before expiration they need to be sent a warning message.

Any users who reach the set number of days before expiration are then sent an email message. This is handled by first creating the necessary headers, and then adding the text in the file reminderMsgBody.txt.

Finally, an optional password report is sent out. This time, the headers are based on the file reportMsgHeader.txt, and the body is dynamically created based on the password data.

Configuration

There are a minimum of two files that must edited. In pwMonitor.py, a number of variables must be set to the appropriate domain, email addresses, and password timing:

• kDomain: must be set to the domain that should be added to the account names.
• kRemFrom: email address used as the sender of password reminders.
• kRemBody: path to file containing the body of the user password reminder message.
• kDaysBeforeExpiration: number of days before a password is considered to be expired.
• kFirstWarningDays: when the first email reminder should be sent.
• kSecondWarningDays: when the second email reminder should be sent.
• kReportMsgHeaderPath: message headers used for password report emails.

While testing the script you may want to add execute permissions for the script file with chmod u+x pwMonitor.py or a similar command.

If you will be emailing out reports, you must also edit the reportMsgHeader.txt file to contain the recipients who will be receiving the reports, as well as setting kSendReports to True.

The script will need to run once every day. On Tiger, launchd could be used for this. But for Tiger & Panther servers this can be done by adding a cron entry for the root user that would look something like the one below:

01 00 * * * /usr/bin/python -OO /Users/Shared/pwMonitor.py

To allow browser based password changes, you'll also want to set up OSXPass. Then provide a link to this service in your reminder message (reminderMsgBody.txt) to provide a complete package.

What are the requirements for this program?

This program has been tested on Mac OS Server 10.4.2-5, with some testing done on 10.3.9.

Limitations

The password server must be running on the same system as the script. To email reports Postfix must be configured sufficiently to allow email to be sent. It is possible that reminders may rarely be sent out too soon due to limitations in how dates are calculated.

Download pwMonitor.py and its message files