- Jamf Nation Community
- Products
- Jamf Pro
- Re: AD Password expiration as JSS Extension Attrib...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
AD Password expiration as JSS Extension Attribute - no AD bind necessary
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-25-2016 01:30 PM
Hi JAMFers.
Wrote this in November and promptly forgot to throw it up for people to get some usefulness. Please, as always, give suggestions for improving, or extending. This script assumes that your usernames associated with the asset record in JSS are populated by LDAP. It does not require the computer to be bound to the domain. Instead, I leveraged the same LDAP account that we use to give our printers access to the GAL. It returns days remaining (thanks to some math worked out for us by @colonelpanic ) as an Extension Attrib.
#!/bin/bash
################################################
# Created By: Mac Scott, macscott[at]livenation.com
# Creation Date: November 4, 2015
# Last modified: November 4, 2015 by macscott[at]livenation.com
# Brief Description: Scrapes JSS for username assigned to asset, then does AD LDAP lookup to determine AD
################################################
# Set up your organization's variables
# For JSS:
jss_server= # Full URL for logging into your JSS instance, quoted b/c of the characters; i.e. 'https://jss.yourorg.com:8443'
rest_account= # An account on your jss server with limited privs set up to scrape user info from the site
rest_password= # Password for the rest_account user above
# For AD/LDAP:
ldap_server= # IP address of a dc within your org that allows directory lookups
ldap_account= # AD account with limited privs, used to query the active directory server using ldapsearch
ldap_password= # Password for the ldap_account user above
forest_domain= # i.e. forest.yourorg.com
dist_name= # The distinguished name of your domain and forest in AD, quoted b/c of the characters; i.e. 'dc=forest,dc=yourorg,dc=com'
pwdPolicy= # Days to password expiration since last set i.e.: 90
################################################
# Program logic:
# Determine if on corporate network
if ping -c 1 $ldap_server &>/dev/null ; then
# Determine Primary MAC address of computer and pull API data
en0=`ifconfig en0 | grep -o -E '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}'`
jssxml="`curl --silent --insecure -u $rest_account:$rest_password $jss_server/JSSResource/computers/macaddress/$en0/subset/Location -X GET`"
# Get name of user the computer was assigned to
trimName=`echo ${jssxml#*"<username>"}`
usernameINjss=`echo ${trimName%"</username>"*}`
# LDAP lookup for pwdLastSet and then a little math to arrive at days until expiry.
# Credit for this portion of the script goes to Jason Borchardt, aka colonelpanic on jamfNation
lastpwdMS=`ldapsearch -x -H ldap://$ldap_server -D $ldap_account@$forest_domain -w "$ldap_password" -b "$dist_name" -L "anr=$usernameINjss" pwdLastSet | /usr/bin/awk '/pwdLastSet:/{print $2}'`
lastpwdUNIX1=`expr $lastpwdMS / 10000000 - 1644473600`
lastpwdUNIX=`expr $lastpwdUNIX1 - 10000000000`
todayUNIX=`date +%s`
diffDays1=`expr $todayUNIX - $lastpwdUNIX`
diffDays=`expr $diffDays1 / 86400`
daysRemaining=`expr $pwdPolicy - $diffDays`
echo "<result>$daysRemaining</result>"
fi
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-22-2016 11:55 AM
Hi @signetmac,
Great script! Found that the script had an issue if the primary MAC address of the computer changes (for users who sometime use Thunderbolt ethernet dongles and other times use the Ethernet on a thunderbolt monitor). Here it is using the UUID of the hardware which should never change. (Also changed to use xpath to pull out the username from XML).
Cheers,
JP
#!/bin/bash
################################################
# Created By: Mac Scott, macscott[at]livenation.com
# Creation Date: November 4, 2015
# Last modified: November 4, 2015 by macscott[at]livenation.com
# Brief Description: Scrapes JSS for username assigned to asset, then does AD LDAP lookup to determine AD
################################################
# Set up your organization's variables
# For JSS:
jss_server= # Full URL for logging into your JSS instance, quoted b/c of the characters; i.e. 'https://jss.yourorg.com:8443'
rest_account= # An account on your jss server with limited privs set up to scrape user info from the site
rest_password= # Password for the rest_account user above
# For AD/LDAP:
ldap_server= # IP address of a dc within your org that allows directory lookups
ldap_account= # AD account with limited privs, used to query the active directory server using ldapsearch
ldap_password= # Password for the ldap_account user above
forest_domain= # i.e. forest.yourorg.com
dist_name= # The distinguished name of your domain and forest in AD, quoted b/c of the characters; i.e. 'dc=forest,dc=yourorg,dc=com'
pwdPolicy= # Days to password expiration since last set i.e.: 90
################################################
# Program logic:
# Determine if on corporate network
if ping -c 1 $ldap_server &>/dev/null ; then
# Determine Hardware UUID of computer and pull API data
uuid="`system_profiler SPHardwareDataType | grep "Hardware UUID" | awk '{print $3}'`"
jssxml="`curl --silent --insecure -u $rest_account:$rest_password $jss_server/JSSResource/computers/udid/$uuid/subset/Location -X GET`"
# Get name of user the computer was assigned to
usernameINjss="`echo "${jssxml}" | xpath "string(/computer/location/username)" 2> /dev/null`"
# LDAP lookup for pwdLastSet and then a little math to arrive at days until expiry.
# Credit for this portion of the script goes to Jason Borchardt, aka colonelpanic on jamfNation
lastpwdMS=`ldapsearch -x -H ldap://$ldap_server -D $ldap_account@$forest_domain -w "$ldap_password" -b "$dist_name" -L "anr=$usernameINjss" pwdLastSet | /usr/bin/awk '/pwdLastSet:/{print $2}'`
lastpwdUNIX1=`expr $lastpwdMS / 10000000 - 1644473600`
lastpwdUNIX=`expr $lastpwdUNIX1 - 10000000000`
todayUNIX=`date +%s`
diffDays1=`expr $todayUNIX - $lastpwdUNIX`
diffDays=`expr $diffDays1 / 86400`
daysRemaining=`expr $pwdPolicy - $diffDays`
echo "<result>$daysRemaining</result>"
fiOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-22-2016 12:00 PM
Thank you @pereljon ! I always appreciate a chance to make my scripts better AND learn new things in the process. I've not used xpath before and am happy to get the example of its usage. This will come in handy in other scripts I'm working on.
All my best,
Mac
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-22-2016 12:59 PM
@signetmac Do you have your scripts on github? It's a great place to share these from and keep them updated. One more suggestion would be to get the JSS URL directly from the JAMF preferences file.
JSS_BASEURL=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf jss_url)Here's a script on my github that does this:
https://github.com/pereljon/Casper-Scripts/blob/master/mailsend.sh
Cheers,
JP
