Provided by: freeipa-client-epn_4.12.4-1_amd64 
NAME
ipa-epn - Send expiring password notifications
SYNOPSIS
ipa-epn [options]
DESCRIPTION
ipa-epn provides a method to warn users via email that their IPA account password is about to expire.
It can be used in dry-run mode which is recommended during setup. The output is always JSON in this case.
It can also be launched daily by its systemd timer. In this case it will parse its configuration file
epn.conf(5) and send an email to users whose passwords are expiring within the defined future date
ranges.
See the OPTIONS section below and the epn.conf(5) man page on how to configure the tool.
OPTIONS
--to-nbdays <number of days>
The --to-nbdays CLI option can be used to determine the number of notifications that would be sent
in a given timeframe.
If --from-nbdays is not specified, ipa-epn will look within a 24-hour long time range in <number
of days> days.
if --from-nbdays is specified, the date range starts at --from-nbdays days in the future and ends
at --to-nbdays in the future.
Together, these two CLI options can be used to determine how many emails would be sent in a
specific time in the future.
The --to-nbdays CLI option implies --dry-run.
--from-nbdays <number of days>
See --to-nbdays for an explanation. This option must be used in conjunction with --to-nbdays.
--dry-run
The --dry-run CLI option is intended to test ipa-epn's configuration.
For instance, if notify_ttls is set to 21, 14, 3, --dry-run would display the list of users whose
passwords would expire in 21, 14, and 3 days in the future.
--mail-test
The --mail-test CLI option will send an e-mail to the configured smtp_admin value in
/etc/ipa/epn.conf. Generic values for the substitution variables are set so this is also useful
for testing and configuring the mail template.
TEMPLATE
The template for the e-mail message is contained in /etc/ipa/epn/expire_msg.template. The following
template variables are available.
User ID: uid
Full name: fullname
First name: first
Last name: Last
Password expiration date: expiration
EXAMPLES
# date
Sun 12 Apr 2020 06:23:08 AM CEST
# ipa-epn --dry-run
[
{
"uid": "user5",
"cn": "user 5",
"krbpasswordexpiration": "2020-04-17 15:51:53",
"mail": "['user5@ipa.test']"
}
]
The IPA-EPN command was successful
# ipa-epn --to-nbdays 6 --dry-run
[
{
"uid": "user5",
"cn": "user 5",
"krbpasswordexpiration": "2020-04-17 15:51:53",
"mail": "['user5@ipa.test']"
}
]
The IPA-EPN command was successful
# ipa-epn --from-nbdays 2 --to-nbdays 6 --dry-run
[
{
"uid": "user5",
"cn": "user 5",
"krbpasswordexpiration": "2020-04-17 15:51:53",
"mail": "['user5@ipa.test']"
}
]
The IPA-EPN command was successful
# ipa-epn --from-nbdays 8 --to-nbdays 12 --dry-run
[
{
"uid": "user3",
"cn": "user 5",
"krbpasswordexpiration": "2020-04-21 00:00:08",
"mail": "['user3@ipa.test']"
}
]
The IPA-EPN command was successful
EXIT STATUS
The exit status is 0 on success, nonzero on error.
SEE ALSO
RFE: https://pagure.io/freeipa/issue/3687
Design document: https://github.com/freeipa/freeipa/blob/master/doc/designs/expiring-password-
notification.md
KNOWN BUGS
None yet.
REPORTING BUGS AND ENHANCEMENT IDEAS
Please make sure first the issue is not already reported by searching at https://pagure.io/freeipa/issues. If it is not, file a new issue at https://pagure.io/freeipa/new_issue.
IPA April 24, 2020 IPA-EPN(1)