Thank you so much Rob - we have a fairly small amount of users (45) spread over multiple countries, so I think the monday morning storm shouldn't be a problem.
I shall test and see! Thanks On Wed, 4 Sep 2019 at 18:13, Rob Crittenden <rcrit...@redhat.com> wrote: > Morgan Cox via FreeIPA-users wrote: > > HI. > > > > For PCI DSS compliance I need to be able to disable users not logged in > for X amount of days (I think its 90). > > > > I was going to create a script which checks last login time (I have a > similar one for expired passwords), however I cannot find a way of doing > so.. > > > > I have searched for info and found I should be able to get the info from > the krbLastSuccessfulAuth value using > > > > # ipa user-find --all --raw > > > > But that field is not there. > > > > Also seen I can use > > > > # ipa user-status user > > > > But the value always shows > > > > ' Last successful authentication: N/A' > > > > Also seen using ldapsearch > > > > # ldapsearch -x -D "cn=Directory Manager" -W uid=serviceuser > > > > And the value is also missing. > > > > Reading about this is seems the value is cancelled when using replicas - > is that right ? > > > > How can I perform what I need to - i.e how to check last login time for > a user from the IPA servers (not on a per ipa client basis) ? Or is there a > different way to disable in-active users ? > > FWIW the freeIPA team is discussing implementing an MVP of this now. A > design should be up soon. > > Storing the last successful auth was disabled for performance reasons. > You can re-enable it by removing the password policy option "KDC:Disable > Last Success". This will write the last login value per-master. It is > also disabled in all replication agreements. If you must enable > replication for this look in each agreement for > nsDS5ReplicatedAttributeList and remove krblastsuccessfulauth (not > recommended). > > Just know that on Monday mornings you are inviting either a write storm > or a replication storm (or both). YMMV. > > This will count all Kerberos and LDAP auth requests. > > rob >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
