[Freeipa-users] Date of last access attribute
Petr Spacek
pspacek at redhat.com
Tue Sep 17 08:38:45 UTC 2013
On 17.9.2013 09:18, Arturo Borrero wrote:
> On 16/09/13 15:35, Simo Sorce wrote:
>>
>> No, we need to update as it is used to unlock auto-locked accounts. What
>> we decided on was to not propagate any of these operations via
>> replication to avoid huge churn across all of the enterprise.
>>
>> Simo.
>>
>
> The underlying issue is: with a large scale userbase, some method is needed to
> know about inactive user accounts.
> Users that don't send/recv mails, users that don't bind/kinit, whatever..
>
> * some kind of attribute is needed to store when was the last activity.
> * activity would mean a kerberos auth or ldap bind, or an attribute
> modification.
> * this last time info needs to be replicated.
>
> This way, a policy like 'purge accounts inactive by 1 year' can be implemented.
> Or even get a sorted list of user by inactivity time.
>
> I think this is a very nice functionality that FreeIPA should have.
Interesting idea, but it needs careful design not to omit any possible case.
Please create RFE ticket (request for enhancement):
https://fedorahosted.org/freeipa/newticket
You will need an Fedora Account, please follow this:
https://fedoraproject.org/wiki/Account_System/NewAccount
Workaround for now is to read attributes krbLastSuccessfulAuth & lastLoginTime
from all replicas and use highest value. Simple script with ldapsearch could work.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list