Our team uses IPA on all of our environments, including dev, test, enterprise test, and production operations - our customer requires account inactivity enforcement, which does not appear to be a feature with ipa-server-4.5.4-10.el7.x86_64. I need the krbLastSucessfulAuth date/timestamp to reflect the last actual authentication consistently between masters so I can accurately determine the last time a user has authenticated on the domain in one place, on either master, and ideally not have to query both (or 'n' masters) to determine the most recent login. - Alternative flags to query to obtain account inactivity are welcome - Option to query secondary master for value to compare locally on primary master is welcome but not a long term solution
krbLastSuccessfulAuth is inconsistent between IPA masters
1.ipa user-show --all --raw <user> | grep krbLastSuccessfulAuth on each IPA Master 2. 3.
Inconsistent date/times are returned from each IPA Master
Latest account authentication date/times on the domain are immediately and consistently returned from any IPA Server.
Masters: ipa-server-4.5.4-10.el7.x86_64 // Redhat-v7.5
This system is on a closed area network that is not connected to the Internet, so cutting and pasting configuration and command outputs to/from this system is not possible.
Domain contains 65 clients, majority have been joined to the primary master. IPA Client versions are split between the following, majority are currently Centos-v6.9:
ipa-client-4.5.4-10.el7.x86_64 (Redhat-v7.5) ipa-client-3.0.0-51.el6.centos.x86_64 (Centos-v6.9)
krbLastSucessfulAuth is excluded from replication. Also see https://pagure.io/freeipa/issue/5313 (4.5.1+).
If you want to enable krbLastSuccessfulAuth replication (this would create a lot of replication traffic and may cause a number of replication conflicts in some situations), you may remove krbLastSuccessfulAuth from the nsDS5ReplicatedAttributeListTotal and nsDS5ReplicatedAttributeList attributes on the replication agreement. We provide no tools for that, so standard ldapmodify could be used. Please consult 389-ds documentation for details: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/configuration_command_and_file_reference/core_server_configuration_reference#Replication_Attributes_under_cnReplicationAgreementName_cnreplica_cnsuffixName_cnmapping_tree_cnconfig-nsDS5ReplicatedAttributeList
nsDS5ReplicatedAttributeListTotal
nsDS5ReplicatedAttributeList
Closing as duplicate of https://pagure.io/freeipa/issue/3700
Metadata Update from @rcritten: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.