Knowledge Base (Posts about expiration)https://bgstack15.ddns.net/blog/enContents © 2023 <a href="mailto:bgstack15@gmail.com">bgstack15</a> <a rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"> <img alt="Creative Commons License BY-SA" style="border-width:0; margin-bottom:12px;" src="https://bgstack15.ddns.net/.images/l_by-sa_4.0_88x31.png"></a>Mon, 13 Feb 2023 14:30:29 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssPowershell find user password expiration datehttps://bgstack15.ddns.net/blog/posts/2022/09/26/powershell-find-user-password-expiration-date/bgstack15<h6>edited 2023-02-09</h6> <p>This started as a direct duplicate of <a href="https://powershell-guru.com/powershell-tip-38-find-the-user-password-expiration-date/">https://powershell-guru.com/powershell-tip-38-find-the-user-password-expiration-date/</a> but I improved it.</p> <p>For a nice powershell function that shows a human-readable date for when the password expires on an account:</p> <div class="code"><pre class="code literal-block"><span class="k">function</span><span class="w"> </span><span class="nf">Get</span><span class="o">-</span><span class="n">ADUserPasswordExpiration</span><span class="w"></span> <span class="p">{</span><span class="w"></span> <span class="w"> </span><span class="n">Param</span><span class="w"></span> <span class="w"> </span><span class="p">(</span><span class="w"></span> <span class="w"> </span><span class="p">[</span><span class="nb">string</span><span class="p">]</span>$<span class="n">Identity</span><span class="w"></span> <span class="w"> </span><span class="p">,[</span><span class="n">Parameter</span><span class="w"> </span><span class="p">(</span><span class="n">Mandatory</span><span class="p">=</span>$<span class="n">False</span><span class="p">)][</span><span class="nb">string</span><span class="p">]</span>$<span class="n">Server</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">"ipa.example.com"</span><span class="w"></span> <span class="w"> </span><span class="p">,[</span><span class="n">Parameter</span><span class="w"> </span><span class="p">(</span><span class="n">Mandatory</span><span class="p">=</span>$<span class="n">False</span><span class="p">)][</span><span class="n">System</span><span class="p">.</span><span class="n">Management</span><span class="p">.</span><span class="n">Automation</span><span class="p">.</span><span class="n">PSCredential</span><span class="p">]</span>$<span class="n">Credential</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">[</span><span class="n">System</span><span class="p">.</span><span class="n">Management</span><span class="p">.</span><span class="n">Automation</span><span class="p">.</span><span class="n">PSCredential</span><span class="p">]::</span><span class="n">Empty</span><span class="w"></span> <span class="w"> </span><span class="p">)</span><span class="w"></span> <span class="w"> </span>$<span class="n">Params</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">@{</span><span class="w"></span> <span class="w"> </span><span class="n">Identity</span><span class="w"> </span><span class="p">=</span><span class="w"> </span>$<span class="n">Identity</span><span class="w"></span> <span class="w"> </span><span class="n">Server</span><span class="w"> </span><span class="p">=</span><span class="w"> </span>$<span class="n">Server</span><span class="w"></span> <span class="w"> </span><span class="n">Properties</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="s">'msDS-UserPasswordExpiryTimeComputed'</span><span class="w"></span> <span class="w"> </span><span class="p">}</span><span class="w"></span> <span class="w"> </span><span class="n">If</span><span class="w"> </span><span class="p">(</span>$<span class="n">Credential</span><span class="p">.</span><span class="n">UserName</span><span class="p">){</span>$<span class="n">Params</span><span class="p">[</span><span class="s">"Credential"</span><span class="p">]=</span>$<span class="n">Credential</span><span class="p">}</span><span class="w"></span> <span class="w"> </span><span class="p">[</span><span class="n">DateTime</span><span class="p">]::</span><span class="n">FromFileTime</span><span class="p">(</span>$<span class="p">((</span><span class="n">Get</span><span class="o">-</span><span class="n">ADUser</span><span class="w"> </span><span class="p">@</span><span class="n">Params</span><span class="p">).</span><span class="o">'</span><span class="n">msDS</span><span class="o">-</span><span class="n">UserPasswordExpiryTimeComputed</span><span class="o">'</span><span class="p">))</span><span class="w"></span> <span class="p">}</span><span class="w"></span> </pre></div> <p>My value-add includes the optioanl <code>-Server</code> and <code>-Credential</code> parameters.</p> <h4>Also from that source</h4> <p>To list all the Active Directory constructed attributes:</p> <div class="code"><pre class="code literal-block"><span class="nv">Get</span><span class="o">-</span><span class="nv">ADObject</span><span class="w"> </span><span class="o">-</span><span class="nf">SearchBase</span><span class="w"> </span><span class="p">(</span><span class="nv">Get</span><span class="o">-</span><span class="nv">ADRootDSE</span><span class="p">)</span><span class="o">.</span><span class="nv">SchemaNamingContext</span><span class="w"> </span><span class="o">-</span><span class="nv">LDAPFilter</span><span class="w"> </span><span class="s">"(&amp;(systemFlags:1.2.840.113556.1.4.803:=4)(ObjectClass=attributeSchema))"</span><span class="w"></span> </pre></div>expirationpasswordpowershelluserhttps://bgstack15.ddns.net/blog/posts/2022/09/26/powershell-find-user-password-expiration-date/Mon, 26 Sep 2022 12:46:19 GMTMonitor freeipa certificate expirationshttps://bgstack15.ddns.net/blog/posts/2021/11/02/monitor-freeipa-certificate-expirations/bgstack15<h2>Project freeipa-cert-alert</h2> <h3>Overview</h3> <p>Freeipa-cert-alert is a small project that lists the certificates from an IPA server that will expire soon. The idea is to pass the output to a mail or logging utility.</p> <p>I wanted to manipulate the objects coming from freeipa more directly than parsing the textual output (which is not a terrible way to do it), because I know that FreeIPA is a Python project. Come to find out, the <code>python3-freeipa</code> package is not a core part of freeipa, which uses <code>python-ipa*</code> package names. But python3-freeipa provides the suitable commands that return useful objects we can iterate through.</p> <p>Even the <code>cert_find()</code> implementation lets you pick start and stop times for the validity period, which is most of the work involved.</p> <p>I also devised some dirty tricks to columnize the output.</p> <h3>Using freeipa-cert-alert</h3> <p>You configure it with environment variables at runtime, including:</p> <ul> <li><code>FREEIPA_SERVER</code></li> <li><code>FREEIPA_USERNAME</code></li> <li><code>FREEIPA_PASSWORD</code></li> <li><code>DAYS</code></li> </ul> <p>For some reason, domain name does not suffice as the server name. You must pick a server name. This is discoverable in a properly-functioning Kerberos domain with:</p> <pre class="code literal-block"><span></span><code>dig +short -t srv _ldap._tcp.yourdomain.com | awk '{print $4}' </code></pre> <h4>Example</h4> <pre class="code literal-block"><span></span><code>$ <span class="nv">DAYS</span><span class="o">=</span><span class="m">180</span> ./freeipa-cert-alert.py Certificates expiring within <span class="m">180</span> days from <span class="m">2021</span>-10-27 Not valid before Not valid after Subject Thu Jan <span class="m">16</span> <span class="m">21</span>:18:28 <span class="m">2020</span> UTC Sun Jan <span class="m">16</span> <span class="m">21</span>:18:28 <span class="m">2022</span> UTC <span class="nv">CN</span><span class="o">=</span>d2-02a.ipa.example.com,O<span class="o">=</span>IPA.EXAMPLE.COM </code></pre> <h3>Upstream</h3> <p><a href="https://gitlab.com/bgstack15/freeipa-cert-alert">My gitlab repo</a> is the source.</p> <h3>Alternatives</h3> <p>Examine the output of <code>ipa cert-find</code> manually. Otherwise, I found no examples that do what I do here.</p>certificatesexpirationfreeipapythonhttps://bgstack15.ddns.net/blog/posts/2021/11/02/monitor-freeipa-certificate-expirations/Tue, 02 Nov 2021 12:52:51 GMT