[Freeipa-users] Date of last access attribute

[Rob Crittenden]

Simo Sorce wrote:
> On Fri, 2013-09-13 at 10:58 -0400, Rob Crittenden wrote:
>> Dmitri Pal wrote:
>>> On 09/13/2013 05:16 AM, Marina Moreda wrote:
>>>> Hi all,
>>>>
>>>> I need to add in my LDAP an attribute to save the date of last access
>>>> to mail account, or something similar, to know when an user has
>>>> stopped using his mail account. I can't find any attribute like this
>>>> one. Any suggestions on how I can do this?
>>>>
>>>> Thanks so much.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> I think there are some operational, i.e. "meta" attributes that store
>>> information when some attribute was last modified so if there is a way
>>> to associate mail activity with a modification of some user attribute
>>> then you can check the time stamp of this modification rather than
>>> create a separate attribute. With a new attribute the question comes:
>>> who, when and how updates it and whether the software you have is
>>> capable of doing it? May be software already updates something on every
>>> activity for the account and if this is the case then operation
>>> attributes would help.
>>
>> There is no mail-specific activity attribute. I think about the closest
>> you could get is last successful Kerberos authentication
>> (krblastsuccessfulauth), but again this isn't specific to mail activity
>> (unless that is all the users can do).
>>
>> Note too that this attribute is by default not replicated so if you have
>> several IPA masters you'd need to check them all. This attribute not
>> updated on LDAP binds.
>
> Rob,
> should we open a ticket to update this for plain text binds too ?
>
> Simo.

That's an interesting question. The attribute has krb in it which 
suggests a kerberos authentication, so I wonder if this would cause 
other confusion.

rob