I was thinking that if we want to remove dormient accounts we would
need to be able to tell the time of last _usage_ for an account.
Since "usage" probably always starts with credentials verification
(even if later real usage could be based on service-local
authenticated sessions) an approximation of that query could be
done by looking at the LDAP server datastore.
According to [this article](
) the LDAP server should store such info in a per-user file, can
anyone confirm ?
Or, can you think of other ways to determine when an account was last
used ? The aim is to drop/disable/ping-to-confirm accounts that
weren't used in an year.
On Mon, May 09, 2016 at 07:35:43PM +0200, Sandro Santilli wrote:
I was thinking that if we want to remove dormient accounts we would
need to be able to tell the time of last _usage_ for an account.
Since "usage" probably always starts with credentials verification
(even if later real usage could be based on service-local
authenticated sessions) an approximation of that query could be
done by looking at the LDAP server datastore.
Or, can you think of other ways to determine when an account was last
used ? The aim is to drop/disable/ping-to-confirm accounts that
weren't used in an year.
I tried using the logs, using this pattern against the syslog:
'slapd.*BIND dn="<USER>'
Seems to give some info, but the logs don't go back more than 7 days
As far as I can tell, OpenLDAP only stores creation and modification
timestamps, but no access timestamps. Aside from that, the latter are
subject to being inaccurate because many clients are caching user
objects.
Or, can you think of other ways to determine when an account was last
used ? The aim is to drop/disable/ping-to-confirm accounts that
weren't used in an year.
The only procedure I can imagine is to set up a dedicated, custom log
just for this special purpose - maybe from monitoring the default log.
Cheers,
Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------
As far as I can tell, OpenLDAP only stores creation and modification
timestamps, but no access timestamps. Aside from that, the latter are
subject to being inaccurate because many clients are caching user
objects.
Caching user objects would make password changes ineffective,
are you sure this is really happening on any OSGeo service ?
> Or, can you think of other ways to determine when an account was last
> used ? The aim is to drop/disable/ping-to-confirm accounts that
> weren't used in an year.
The only procedure I can imagine is to set up a dedicated, custom log
just for this special purpose - maybe from monitoring the default log.
Please let's use the appropriate ticket [1] to keep track of progress
on this front, it also contains other references about "last bind"
info.
Caching user objects would make password changes ineffective,
are you sure this is really happening on any OSGeo service ?
The main purpose of "nscd" for example is to cache user objects and I'm
pretty sure several other higher level services are doing as well.
Think of a busy website authenticating against LDAP, without cache
they'd easily overload their directory service.
In order to reflect password changes they just need to look up the last
changed timestamp every once in a while, but not the entire user
object.
Please let's use the appropriate ticket [1] to keep track of progress
on this front, it also contains other references about "last bind"
info.
Didn't see that one before (too many unread emails), will try to stick
to it.
Cheers,
Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------
