[Freeipa-users] Tracking Login Times
Martin Kosek
mkosek at redhat.com
Wed Mar 23 11:35:45 UTC 2016
On 03/21/2016 06:56 PM, Rob Crittenden wrote:
> Bob wrote:
>> If each IPA server tracks time of last auth independently, then one ipa
>> server might disable an inactive account. But that account might be
>> active on another servers. In a fail over case where the server that
>> that account normally uses is down, the user would not have a usable
>> account.
>>
>> Is it possible to use the account policy plugin? Or is there a way to
>> track time of last auth that is replicated. I need to have accounts
>> that have been inactive for 90 days automatically disabled.
>
> You can't use the account policy plugin but it isn't aware of Kerberos so it
> would miss potentially a lot of authentications.
>
> You could modify replication agreements to not ignore this attribute but you
> potentially create a replication "storm", particularly early morning when
> everyone logs in at the same time.
>
> In any case IPA password policy doesn't currently handle inactivity. There is a
> ticket open: https://fedorahosted.org/freeipa/ticket/4975 (with a potential
> short-term workaround).
JFTR, this is the ticket with failed login replication RFE:
https://fedorahosted.org/freeipa/ticket/3700
Martin
More information about the Freeipa-users
mailing list