The account policy plugin allows for an account to be disabled if it has not been active for a configurable period of time. It does this by recording the last login time, then comparing it against the threshold when a user performs a bind. If it has been too long, we then reject the bind and disable the user.
Certain environments have compliance requirements for inactive account deactivation, but this needs to happen automatically without being triggered by a failed attempt. This allows for proper auditing of inactive accounts.
The account policy plugin could be modified to use the event queue SLAPI API to trigger a callback that looks for inactive accounts, which it can then disable. The event frequency/schedule should be configurable in the account policy plugin configuration.
Note: needs more design work
Metadata Update from @nhosoi: - Issue set to the milestone: 1.3.6 backlog
Metadata Update from @mreynolds: - Issue close_status updated to: None - Issue set to the milestone: 1.4 backlog (was: 1.3.6 backlog)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1967
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.