This script contains all the logic I use to determine the number of days remaining until a user's Active Directory domain password expires. Helpful for troubleshooting where things are breaking down in ADPassMon. Make sure you have an active kerberos ticket before running or you will see 'ldap_sasl_interactive_bind_s' errors at the beginning of …

ad_pass_exp.sh

#!/bin/bash

myLDAP=$(scutil --dns | awk '/nameserver\[0\]/{print $3}' | head -1)

mySearchBase=$(ldapsearch -LLL -Q -s base -H ldap://${myLDAP} defaultNamingContext | awk '/defaultNamingContext/{print $2}')

uAC=$(dscl localhost read /Search/Users/$USER userAccountControl | awk '/:userAccountControl:/{print $2}')
if [[ $uAC =~ ^6 ]]; then
    passExpires="no"
else
    passExpires="yes"
fi

expireAgeUnix=$(ldapsearch -LLL -Q -s base -H ldap://${myLDAP} -b $mySearchBase maxPwdAge | awk -F- '/maxPwdAge/{print $2/10000000}')

expireAge=$(echo "$expireAgeUnix / 86400" | bc -l)

pwdSetDateRaw=$(dscl localhost read /Search/Users/$USER pwdLastSet | awk '/LastSet:/{print $2}')

pwdSetDateUnix=$(echo "$pwdSetDateRaw / 10000000 - 11644473600" | bc -l)

pwdSetDate=$(echo "$pwdSetDateUnix / 86400" | bc -l)

todayUnix=$(date +%s)

today=$(echo "$todayUnix / 86400" | bc -l)

daysUntilExp=$(echo "$expireAge - ($today - $pwdSetDate)" | bc -l)

daysUntilExpNice=$(echo "$daysUntilExp" | awk -F. '{print $1}')

echo "myLDAP:           $myLDAP"
echo "mySearchBase:     $mySearchBase"
echo "uAC:              $uAC"
echo "passExpires:      $passExpires"
echo "expireAgeUnix:    $expireAgeUnix"
echo "expireAge:        $expireAge"
echo "pwdSetDateRaw:    $pwdSetDateRaw"
echo "pwdSetDateUnix:   $pwdSetDateUnix"
echo "pwdSetDate:       $pwdSetDate"
echo "todayUnix:        $todayUnix"
echo "today:            $today"
echo "daysUntilExp:     $daysUntilExp"
echo "daysUntilExpNice: $daysUntilExpNice"