On Dec 10, 2010, at 10:37 AM, jonathan@phillipoux.net wrote:
On 10/12/10 17:14, Howard Chu wrote:
jonathan@phillipoux.net wrote:
On 30/07/09 13:50, jonathan@phillipoux.net wrote:
Full_Name: Jonathan Clarke Version: RE24 OS: URL: =
ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz
Submission from: (NULL) (82.67.204.30) =20 =20 Hi, =20 Please find, at the above URL, an overlay, built for OpenLDAP 2.4, =
that
intercepts successful binds and records the current timestamp in an attribute named "bindTimestamp" in the bound-to entry. It's original use-case is to detect unused accounts. =20 A configuration parameter (olcLastBindPrecision) allows to set a =
minimum
precision for the timestamp (ie, don't update the timestamp unless it's older than<n> seconds). This avoids a performance hit from many unnecessary writes in case there are many binds per minute/hour/day/week/etc. =20 Of course, the behaviour this overlay implements is not described =
in
any RFC, or other. However, it closely resembles some of the functionality from the password policy overlay, and similar functionality already exists in other LDAP servers.
=20 There is an equivalent attribute defined in the latest ppolicy draft. Perhaps you could use that.
That attribute is last successful password authentication, not last = authentication by any means.
For the latter, I suggest a separate attribute. At Isode, we use an = authTimestamp dsaOperational attribute for this.
It's wise to have the updating of this attribute off by default.
Or just submit a patch to incorporate this feature into the current ppoloicy overlay.
=20 Indeed. At the time I wrote this overlay, I think the ppolicy draft =
was
not yet finished or at least I wasn't aware of it. My client at the =
time
found it useful to just add this simple overlay, without worrying =
about
configuring ppolicy. =20 Since then, I actually haven't had any time to work on this overlay, =
but
today Michael expressed an interest in it, asking for a public IPR notice, thus the "thread revival". =20 I hope to pick it up in the future, and at that point possibly submit =
a
patch for ppolicy also, as you suggest. =20 Regards, Jonathan =20 =20