https://bugzilla.redhat.com/show_bug.cgi?id=810912 (Red Hat Directory Server)
Would like to be able to track user login times using the lastLoginTime attribute without having to set up a policy in the Account Policy Plugin based on the accountInactivityLimit attribute that would disable the account. Only looking to use the lastLoginTime for tracking purposes without enforcing any sort of lockout of the account. The ability to use a "0" or "-1" in the accountInactivityLimit attribute to indicate no inactivity timeout would also work. Need the ability to track "dormant" or inactive users so that they may be purged from the directory. Support for tracking the date/time of last successful directory login would make detecting unused/inactive accounts easier. Obtaining the data/time of the last successful BIND for a given user, from within the directory is possible when using Account Policy Plug-in, but not without setting up the accountInactivityTimeout in a policy which would cause the account to become locked upon expiration.
In the version 1.2.10.x the following ldif seemed to work to just change the lastloginTime (without any accoutInactivityTimeout positioned):
''dn: cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on''
''dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config changetype: modify replace: alwaysrecordlogin alwaysrecordlogin: yes''
Has it changed in 1.2.11.x?
All you need is are these two entries in the dse.ldif:
dn: cn=Account Policy Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject cn: acct_policy_plugin nsslapd-pluginPath: libacctpolicy-plugin nsslapd-pluginInitfunc: acct_policy_init nsslapd-pluginType: object nsslapd-pluginEnabled: on nsslapd-plugin-depends-on-type: database nsslapd-pluginId: acct-policy nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: config alwaysrecordlogin: yes stateattrname: lastLoginTime altstateattrname: createTimestamp specattrname: acctPolicySubentry limitattrname: accountInactivityLimit
The only way an account can get locked is if you add the acctPolicySubentry attribute to a user entry.
So if you don't want an account to get inactivated, don't add the acctPolicySubentry to the user entry.
Closing ticket.
Added initial screened field value.
Metadata Update from @nkinder: - Issue assigned to mreynolds - Issue set to the milestone: 1.2.11.5
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/371
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Invalid)
Login to comment on this ticket.