#371 [RFE] - Use lastLoginTime to track user logins without using accoutInactivityTimeout
Closed: Invalid None Opened 7 years ago by nkinder.

https://bugzilla.redhat.com/show_bug.cgi?id=810912 (Red Hat Directory Server)

Would like to be able to track user login times using the lastLoginTime
attribute without having to set up a policy in the Account Policy Plugin based
on the accountInactivityLimit attribute that would disable the account.  Only
looking to use the lastLoginTime for tracking purposes without enforcing any
sort of lockout of the account.  The ability to use a "0" or "-1" in the
accountInactivityLimit attribute to indicate no inactivity timeout would also
work.

Need the ability to track "dormant" or inactive users so that
they may be purged from the directory. Support for tracking the date/time of last successful
directory login would make detecting unused/inactive accounts easier.

Obtaining the data/time of the last successful BIND for a given user, from
within the directory is possible when using Account Policy Plug-in, but not
without setting up the accountInactivityTimeout in a policy which would cause
the account to become locked upon expiration.

In the version 1.2.10.x the following ldif seemed to work to just change the lastloginTime (without any accoutInactivityTimeout positioned):

''dn: cn=Account Policy Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on''

''dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
changetype: modify
replace: alwaysrecordlogin
alwaysrecordlogin: yes''

Has it changed in 1.2.11.x?

All you need is are these two entries in the dse.ldif:

dn: cn=Account Policy Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
cn: acct_policy_plugin
nsslapd-pluginPath: libacctpolicy-plugin
nsslapd-pluginInitfunc: acct_policy_init
nsslapd-pluginType: object
nsslapd-pluginEnabled: on
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: acct-policy
nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: config
alwaysrecordlogin: yes
stateattrname: lastLoginTime
altstateattrname: createTimestamp
specattrname: acctPolicySubentry
limitattrname: accountInactivityLimit

The only way an account can get locked is if you add the acctPolicySubentry attribute to a user entry.

So if you don't want an account to get inactivated, don't add the acctPolicySubentry to the user entry.

Closing ticket.

Added initial screened field value.

Metadata Update from @nkinder:
- Issue assigned to mreynolds
- Issue set to the milestone: 1.2.11.5

2 years ago

Login to comment on this ticket.

Metadata