Metadata-Version: 2.1
Name: ipa-notify
Version: 0.2.3
Summary: FreeIPA password expriation and locked user notifier
Home-page: https://github.com/cagdasbas/ipa-notify
Author: Cagdas Bas
Author-email: cagdasbs@gmail.com
License: UNKNOWN
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Natural Language :: English
Classifier: License :: OSI Approved :: Apple Public Source License
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Requires-Python: >=3.6
Description-Content-Type: text/markdown
Requires-Dist: python-freeipa (==1.0.6)
Requires-Dist: requests-kerberos (==0.12.0)
Requires-Dist: requests-gssapi (==1.2.3)

### FreeIPA Notification
[![Upload Python Package](https://github.com/cagdasbas/ipa-notify/actions/workflows/python-publish.yml/badge.svg)](https://github.com/cagdasbas/ipa-notify/actions/workflows/python-publish.yml)

Notify IPA Users for password expiration and locked users to admin

Required packages:
- krb5-devel

1. Create a new role for notifier
   ```shell
   ipa role-add --desc "Notification agent role" "Notification Agent"
   ```
2. Add privileges to the role
   ```shell
   ipa role-add-privilege "Notification Agent" --privileges="User Administrators"
   ipa role-add-privilege "Notification Agent" --privileges="Group Administrators"
   ipa role-add-privilege "Notification Agent" --privileges="Password Policy Readers"
   ```
3. Create a new service and assign the role to this service
   ```shell
   ipa service-add NOTIFY/ipa1.example.com
   ipa role-add-member  "Notification Agent" --services="NOTIFY/ipa1.example.com@EXAMPLE.COM"
   ipa service-allow-retrieve-keytab "NOTIFY/ipa1.example.com@EXAMPLE.COM" --hosts=ipa1.example.com
   ```
4. Obtain a keytab with fix permissions
   ```shell
   ipa-getkeytab -s ipa1.example.com -p "NOTIFY/ipa1.example.com@EXAMPLE.COM" -k ~/.priv/notify.keytab
   chmod -R 600 ~/.priv
   ```
2. Run the command in ```noop``` mode for a successful user listing
3. Create a script with proper permissions under ```/usr/local/sbin/```
4. Add a crontab entry. For example ```0 0 *  *  * root ipa_notify.sh > /var/log/ipa_notify.log```


#### Parameters:
```bash
$ ipa-notify --help
usage: ipa_notify.py [-h] [--server SERVER] [--verify-ssl] [--no-verify-ssl] [--principal PRINCIPAL] [--keytab KEYTAB] [--groups GROUPS [GROUPS ...]] [--limit LIMIT] [--smtp-host SMTP_HOST] [--smtp-port SMTP_PORT]
                     [--smtp-user SMTP_USER] [--smtp-pass SMTP_PASS] [--smtp-from SMTP_FROM] [--admin ADMIN] [--noop NOOP] [--loglevel {CRITICAL,ERROR,WARNING,INFO,DEBUG,NOTSET}]

IPA Notifier

optional arguments:
  -h, --help            show this help message and exit
  --server SERVER       ipa server fqdn
  --verify-ssl          verify ipa connection SSL cert (default)
  --no-verify-ssl       do not verify ipa connection SSL cert
  --principal PRINCIPAL
                        user principal for kerberos authentication
  --keytab KEYTAB       keytab path
  --groups GROUPS [GROUPS ...]
                        list of user groups to check
  --limit LIMIT         number of days before notifying a user
  --smtp-host SMTP_HOST
                        smtp host for sending email
  --smtp-port SMTP_PORT
                        smtp port for sending email
  --smtp-user SMTP_USER
                        smtp user login
  --smtp-pass SMTP_PASS
                        smtp user password
  --smtp-from SMTP_FROM
                        smtp from email address
  --admin ADMIN         admin user email to notify about locked users
  --noop NOOP           no operation mode. Do not send emails
  --loglevel {CRITICAL,ERROR,WARNING,INFO,DEBUG,NOTSET}
                        log level

```


