[Freeipa-users] Date of last access attribute
Rob Crittenden
rcritten at redhat.com
Mon Sep 16 12:44:15 UTC 2013
Dmitri Pal wrote:
> On 09/13/2013 01:46 PM, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Fri, 2013-09-13 at 10:58 -0400, Rob Crittenden wrote:
>>>> Dmitri Pal wrote:
>>>>> On 09/13/2013 05:16 AM, Marina Moreda wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> I need to add in my LDAP an attribute to save the date of last access
>>>>>> to mail account, or something similar, to know when an user has
>>>>>> stopped using his mail account. I can't find any attribute like this
>>>>>> one. Any suggestions on how I can do this?
>>>>>>
>>>>>> Thanks so much.
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>> I think there are some operational, i.e. "meta" attributes that store
>>>>> information when some attribute was last modified so if there is a way
>>>>> to associate mail activity with a modification of some user attribute
>>>>> then you can check the time stamp of this modification rather than
>>>>> create a separate attribute. With a new attribute the question comes:
>>>>> who, when and how updates it and whether the software you have is
>>>>> capable of doing it? May be software already updates something on
>>>>> every
>>>>> activity for the account and if this is the case then operation
>>>>> attributes would help.
>>>>
>>>> There is no mail-specific activity attribute. I think about the closest
>>>> you could get is last successful Kerberos authentication
>>>> (krblastsuccessfulauth), but again this isn't specific to mail activity
>>>> (unless that is all the users can do).
>>>>
>>>> Note too that this attribute is by default not replicated so if you
>>>> have
>>>> several IPA masters you'd need to check them all. This attribute not
>>>> updated on LDAP binds.
>>>
>>> Rob,
>>> should we open a ticket to update this for plain text binds too ?
>>>
>>> Simo.
>>
>> That's an interesting question. The attribute has krb in it which
>> suggests a kerberos authentication, so I wonder if this would cause
>> other confusion.
>
> Wasn't there an intent not to update data on a successful auth? Only on
> a failure or first time after a failure to clear the counts?
It certainly seems like an argument I'd make, but I don't recall
specifically.
rob
More information about the Freeipa-users
mailing list