[Freeipa-users] Date of last access attribute

Dmitri Pal dpal at redhat.com
Fri Sep 13 18:15:17 UTC 2013 

On 09/13/2013 01:46 PM, Rob Crittenden wrote:
> Simo Sorce wrote:
>> On Fri, 2013-09-13 at 10:58 -0400, Rob Crittenden wrote:
>>> Dmitri Pal wrote:
>>>> On 09/13/2013 05:16 AM, Marina Moreda wrote:
>>>>> Hi all,
>>>>>
>>>>> I need to add in my LDAP an attribute to save the date of last access
>>>>> to mail account, or something similar, to know when an user has
>>>>> stopped using his mail account. I can't find any attribute like this
>>>>> one. Any suggestions on how I can do this?
>>>>>
>>>>> Thanks so much.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>> I think there are some operational, i.e. "meta" attributes that store
>>>> information when some attribute was last modified so if there is a way
>>>> to associate mail activity with a modification of some user attribute
>>>> then you can check the time stamp of this modification rather than
>>>> create a separate attribute. With a new attribute the question comes:
>>>> who, when and how updates it and whether the software you have is
>>>> capable of doing it? May be software already updates something on
>>>> every
>>>> activity for the account and if this is the case then operation
>>>> attributes would help.
>>>
>>> There is no mail-specific activity attribute. I think about the closest
>>> you could get is last successful Kerberos authentication
>>> (krblastsuccessfulauth), but again this isn't specific to mail activity
>>> (unless that is all the users can do).
>>>
>>> Note too that this attribute is by default not replicated so if you
>>> have
>>> several IPA masters you'd need to check them all. This attribute not
>>> updated on LDAP binds.
>>
>> Rob,
>> should we open a ticket to update this for plain text binds too ?
>>
>> Simo.
>
> That's an interesting question. The attribute has krb in it which
> suggests a kerberos authentication, so I wonder if this would cause
> other confusion.

Wasn't there an intent not to update data on a successful auth? Only on
a failure or first time after a failure to clear the counts?

>
>
> rob
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list