https://bugs.openldap.org/show_bug.cgi?id=9881
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- On Fri, Jul 08, 2022 at 06:53:01PM +0000, openldap-its@openldap.org wrote:
It would be useful to add similar functionality for SASL binds.
This can be useful information that allows one to tell if an object is being actively authenticated to (generally, users and system accounts, etc). Obviously if something is directly mapped to an identity that doesn't exist in the underlying DB, that cannot be tracked.
Arguably, you might want to track the use of their identity via proxyauthz control in the same way.
A proposal as to how this should be tracked (pwdLastSuccess or a separate attribute?) and whether this should interact with any policy since pwdLastSuccess is used in *password* idle checks and the password might not have been involved here.