Cybersecurity
DevOps Cloud
IT Operations Cloud
The script will report if a certificate is expired, if it expires today, or if it will expire within a month.
This only reports the problem certificates in your eDir tree, and if they are all good, then nothing is returned.
I use Net::LDAP and Date::Manip in the perl script. The corresponding packages on SLES are:
The options needed for the script to run are:
checkcerts.pl LDAP-IP-or-DNS-name Bind-DN Bind-password
Example:
checkcerts.pl 10.20.30.40 cn=admin,o=novell novell
The user that is used for this script only needs to have the following rights:
Entry: Browse, Inherit (for the entire tree)
Attribute: ObjectClass & ndspkinotafter - Read, Compare, Inherit
The easiest way to use this script would be to create a cron job on one server that runs once a week.
An example for the script results to be emailed to idmadmins:
/usr/local/bin/checkcerts.pl 10.20.30.40 cn=admin,o=novell password | mail -s "Certificate Expiration Report for `date -I`" -r certreport@mydomain.com idmadmins@mydomain.com
You would need to create a job for each tree you want to monitor.
The following example would run against the 10.20.30.40 tree at 1:00AM every Saturday:
0 1 * * 6 /usr/local/bin/checkcerts.pl 10.20.30.40 cn=admin,o=novell password | nail -s "Certificate Expiration Report for `date -I`" -r certreport@mydomain.com idmadmins@mydomain.com
#!/usr/bin/perl -w use Net::LDAP; use POSIX qw(strftime); use Date::Manip; $argc = $#ARGV + 1; if ($argc != 3) { die "checkcerts.pl LDAPURI binduser bindpwd"; } $ldap = Net::LDAP->new( $ARGV[0]) or die "$@"; $mesg = $ldap->bind( $ARGV[1], password => $ARGV[2] ); $mesg = $ldap->search( base => "", filter => "(objectclass=ndspkikeymaterial)" ); $mesg->code && die $mesg->error; $currenttime = strftime("%Y%m%d", localtime()); $currtime = &ParseDate($currenttime); $currtimeplus = &DateCalc($currtime, "1 month"); my @entries = $mesg->entries; my $entr; foreach $entr ( @entries ) { my $attr="ndspkinotafter"; $certdate = substr($entr-> get_value ( $attr ), 0, 8 ); $crtdate = &ParseDate($certdate); $dateresult = &Date_Cmp($currtime,$crtdate); $futuredateresult = &Date_Cmp($currtimeplus,$crtdate); if ( $dateresult < 0 ) { if ( $futuredateresult < 0 ) { # print "The certificate ", $entr->dn, " is valid.\n"; } else { print "The certificate ", $entr->dn, " will expire within a month.\n" } } elsif ($dateresult==0) { print "The certificate ", $entr->dn, " expires today.\n"; } else { print "The certificate ", $entr->dn, " has already expired.\n"; } } $mesg = $ldap->unbind;
Top Comments