On 16/09/13 15:35, Simo Sorce wrote:
No, we need to update as it is used to unlock auto-locked accounts. What we decided on was to not propagate any of these operations via replication to avoid huge churn across all of the enterprise. Simo.
The underlying issue is: with a large scale userbase, some method is needed to know about inactive user accounts.
Users that don't send/recv mails, users that don't bind/kinit, whatever.. * some kind of attribute is needed to store when was the last activity.* activity would mean a kerberos auth or ldap bind, or an attribute modification.
* this last time info needs to be replicated.This way, a policy like 'purge accounts inactive by 1 year' can be implemented.
Or even get a sorted list of user by inactivity time. I think this is a very nice functionality that FreeIPA should have. Best regards. -- Arturo Borrero González Departamento de Seguridad Informática (n...@cica.es) Centro Informático Científico de Andalucía (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejería de Economía, Innovación, Ciencia y Empleo Junta de Andalucía
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
