[Freeipa-users] Auto disable users
Martin Kosek
mkosek at redhat.com
Tue Mar 3 16:02:09 UTC 2015
On 03/03/2015 04:34 PM, Dmitri Pal wrote:
> On 03/03/2015 07:22 AM, Martin Kosek wrote:
>> On 03/03/2015 05:38 AM, Jason Prouty wrote:
>>>
>>> Is there a method to auto disable users who have logged in 90 days.
>>> I have a security requirement to auto disable users who have not logged in
>>> after 90 days.
>>>
>> There is no such facility implemented in vanilla FreeIPA. I think there was
>> another user request, but I could not find any Bugzilla or Trac ticket.
>>
>> I see 3 options how to do what you propose:
>>
>> 1) Implement a cron script that will LDAP search for such users and disable
>> them when the account is inactive for too long (based on krblastsuccessfulauth).
>
> Yes this is probably the most recommended approach.
> You do an ldap search on all the accounts that have krblastsuccessfulauth more
> than 90 days ago and then disable them one by one.
> Should be a very simple script to write.
Yup, I just did a very simple test, to prove the point:
1) I have 2 users, with different successful log auth:
# ipa user-find --all --raw | grep -iE "(dn:|krbLastSuccessfulAuth)"
dn: uid=admin,cn=users,cn=accounts,dc=f21
krbLastSuccessfulAuth: 20150303155003Z
dn: uid=fbar,cn=users,cn=accounts,dc=f21
krbLastSuccessfulAuth: 20150223114040Z
2) Now I search for acrtive users that did not log after March 1st:
# ldapsearch -Y GSSAPI -b "cn=users,cn=accounts,dc=f21"
"(&(!(nsaccountlock=TRUE))(krbLastSuccessfulAuth<=20150301000000Z))" dn
krbLastSuccessfulAuth nsaccountlock
SASL/GSSAPI authentication started
SASL username: admin at F21
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=users,cn=accounts,dc=f21> with scope subtree
# filter: (&(!(nsaccountlock=TRUE))(krbLastSuccessfulAuth<=20150301000000Z))
# requesting: dn krbLastSuccessfulAuth nsaccountlock
#
# fbar, users, accounts, f21
dn: uid=fbar,cn=users,cn=accounts,dc=f21
krbLastSuccessfulAuth: 20150223114040Z
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
3) I disable such user:
# ipa user-disable fbar
----------------------------
Disabled user account "fbar"
----------------------------
4) Next search:
# ldapsearch -Y GSSAPI -b "cn=users,cn=accounts,dc=f21"
"(&(!(nsaccountlock=TRUE))(krbLastSuccessfulAuth<=20150301000000Z))" dn
krbLastSuccessfulAuth nsaccountlock
SASL/GSSAPI authentication started
SASL username: admin at F21
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=users,cn=accounts,dc=f21> with scope subtree
# filter: (&(!(nsaccountlock=TRUE))(krbLastSuccessfulAuth<=20150301000000Z))
# requesting: dn krbLastSuccessfulAuth nsaccountlock
#
# search result
search: 4
result: 0 Success
# numResponses: 1
Martin
More information about the Freeipa-users
mailing list