Dmitry Krasov via FreeIPA-users wrote: > Thanks for answering Florence. But how can I setup auto disable\remove > inactive users (after in about 2 mounths last login)? >
This is a known limitation in IPA. If the data is collection then it will significantly reduce performance. If it is no then identifying inactivate users is difficult. Off the top of my head, not endorsing any of these ideas, you can: 1. Enable saving, but not replicating, krblastsuccessful auth and then collect the data on each server and consolidate it into one in a database. Using the database you can search on expired users. There will be a performance hit but not as bad as also replicating, depending on how authentication is generally used. The more frequently users authenticate to Kerberos or LDAP the worse it will be. 2. More difficult but you can also do this by collecting logs from all the servers. The authentications can all be found there. Something like Elasticsearch would help. We have tossed around ideas in the past to limit the effect of writing the lastsuccessfulauth attribute. The most promising idea is to write only when the time has exceeded some threshold. So for example, only update it once a week. With perhaps tuning for customization. Any feedback on how fine-grained you'd need would be helpful to know. A final note. There are some very large IPA deployments. If yours is small, say a homelab, then enabling saving the attribute and probably even replicating it is probably not going to be visible. When you have tens of thousands of users you'll definitely feel it. Where in that spectrum one sees the difference is unknown but it is more than just the number of users but also how IPA is used for authentication. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
