[Freeipa-users] Tracking Login Times
Rob Crittenden
rcritten at redhat.com
Mon Mar 21 17:56:27 UTC 2016
Bob wrote:
> If each IPA server tracks time of last auth independently, then one ipa
> server might disable an inactive account. But that account might be
> active on another servers. In a fail over case where the server that
> that account normally uses is down, the user would not have a usable
> account.
>
> Is it possible to use the account policy plugin? Or is there a way to
> track time of last auth that is replicated. I need to have accounts
> that have been inactive for 90 days automatically disabled.
You can't use the account policy plugin but it isn't aware of Kerberos
so it would miss potentially a lot of authentications.
You could modify replication agreements to not ignore this attribute but
you potentially create a replication "storm", particularly early morning
when everyone logs in at the same time.
In any case IPA password policy doesn't currently handle inactivity.
There is a ticket open: https://fedorahosted.org/freeipa/ticket/4975
(with a potential short-term workaround).
rob
>
> On Mon, Mar 21, 2016 at 11:22 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Bob wrote:
>
> We currently have 18 master ODSEE servers that we use to provide
> authentication services to both Redhat, SuSE, and Solaris
> systems. We are looking to add IPA servers to
> environment.
>
> We have a requirement to track time of last authentication.
> With ODSEE, time of last authentication tracking is enabled with
> this:
>
> *dsconf set-server-prop pwd-keep-last-auth-time-enabled:on*
>
>
> Looking at the Redhat DS 9 documentation, I see an account
> policy plug-in:
>
>
> cn=Account Policy Plugin,cn=plugins,cn=config
>
> Looking thefreeipa.org <http://thefreeipa.org>
> <http://freeipa.org> pages on the server plugins, I do not see
> the account policy plugin listed.
> http://www.freeipa.org/page/Directory_Server
>
> Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION:
> 2.156" installed on Redhat 7, I do see the account policy plugin
> in the config tree.
>
>
> Is the use of this account policy plugin supported with IPA?
> Should it work?
>
>
> IPA has its own password policy. You can get last successful
> authentication via krbLastSuccessfulAuth
>
> Don't let the attribute name mislead you, it is updated on every
> authentication.
>
> Also note that this is per-IPA master. It is not replicated.
>
> rob
>
>
>
>
More information about the Freeipa-users
mailing list