[Freeipa-users] Tracking Login Times

Rob Crittenden rcritten at redhat.com
Mon Mar 21 17:56:27 UTC 2016 

Bob wrote:
> If each IPA server tracks time of last auth independently, then one ipa
> server might disable an inactive account. But that account might be
> active on another servers. In a fail over case where the server that
> that account normally uses is down, the user would not have a usable
> account.
>
> Is it possible to use the account policy plugin?  Or is there a way to
> track time of last auth that is replicated.  I need to have accounts
> that have been inactive for 90 days automatically disabled.

You can't use the account policy plugin but it isn't aware of Kerberos 
so it would miss potentially a lot of authentications.

You could modify replication agreements to not ignore this attribute but 
you potentially create a replication "storm", particularly early morning 
when everyone logs in at the same time.

In any case IPA password policy doesn't currently handle inactivity. 
There is a ticket open: https://fedorahosted.org/freeipa/ticket/4975 
(with a potential short-term workaround).

rob

>
> On Mon, Mar 21, 2016 at 11:22 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>     Bob wrote:
>
>         We currently have 18 master ODSEE servers that we use to provide
>         authentication services to both Redhat, SuSE, and Solaris
>         systems. We are looking to add IPA servers to
>         environment.
>
>         We have a requirement to track time of last authentication.
>         With ODSEE, time of last authentication tracking is enabled with
>         this:
>
>         *dsconf set-server-prop pwd-keep-last-auth-time-enabled:on*
>
>
>         Looking at the Redhat DS 9 documentation, I see an account
>         policy plug-in:
>
>
>         cn=Account Policy Plugin,cn=plugins,cn=config
>
>         Looking thefreeipa.org <http://thefreeipa.org>
>         <http://freeipa.org>  pages on the server plugins, I do not see
>         the account policy plugin listed.
>         http://www.freeipa.org/page/Directory_Server
>
>         Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION:
>         2.156" installed on Redhat 7, I do see the account policy plugin
>         in the config tree.
>
>
>         Is the use of this account policy plugin supported with IPA?
>         Should it work?
>
>
>     IPA has its own password policy. You can get last successful
>     authentication via krbLastSuccessfulAuth
>
>     Don't let the attribute name mislead you, it is updated on every
>     authentication.
>
>     Also note that this is per-IPA master. It is not replicated.
>
>     rob
>
>
>
>

More information about the Freeipa-users mailing list