[Freeipa-users] disable inactive accounts and delete old accounts
Giger, Justean
jgiger at verizon.com
Mon Jan 9 17:39:04 UTC 2017
I should add that I do not have the "disable last success" option enabled for the IPA server
Justean
From: Justean Giger <jgiger at one.verizon.com<mailto:jgiger at one.verizon.com>>
Date: Friday, January 6, 2017 at 9:10 AM
To: "freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>" <freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>>
Subject: disable inactive accounts and delete old accounts
I am trying to use the krblastsuccessfulauth attribute to detect accounts that have been inactive for >90 days as per this post: https://www.redhat.com/archives/freeipa-users/2015-March/msg00052.html
I need to be able to disable these accounts at 90 days then delete them after 180 days.
However, I find most of my users do not have the krblastsuccessfulauth attribute populated. This is not because their accounts have never been used as I see they do have valid passwords which expire in the future so they had to login at least once (not necessarily with Kerberos though). Is there another attribute we can/should use for this?
Justean
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170109/6c4051e2/attachment.htm>
More information about the Freeipa-users
mailing list