[Freeipa-users] Date of last access attribute
Arturo Borrero
aborrero at cica.es
Tue Sep 17 07:18:00 UTC 2013
On 16/09/13 15:35, Simo Sorce wrote:
>
> No, we need to update as it is used to unlock auto-locked accounts. What
> we decided on was to not propagate any of these operations via
> replication to avoid huge churn across all of the enterprise.
>
> Simo.
>
The underlying issue is: with a large scale userbase, some method is
needed to know about inactive user accounts.
Users that don't send/recv mails, users that don't bind/kinit, whatever..
* some kind of attribute is needed to store when was the last activity.
* activity would mean a kerberos auth or ldap bind, or an attribute
modification.
* this last time info needs to be replicated.
This way, a policy like 'purge accounts inactive by 1 year' can be
implemented.
Or even get a sorted list of user by inactivity time.
I think this is a very nice functionality that FreeIPA should have.
Best regards.
--
Arturo Borrero González
Departamento de Seguridad Informática (nis at cica.es)
Centro Informático Científico de Andalucía (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 600 / FAX: +34 955 056 650
Consejería de Economía, Innovación, Ciencia y Empleo
Junta de Andalucía
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3072 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130917/593d8aeb/attachment.p7s>
More information about the Freeipa-users
mailing list