https://bugs.openldap.org/show_bug.cgi?id=9881
Issue ID: 9881 Summary: Ability to track last authentication for database objects Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: quanah@openldap.org Target Milestone: ---
For simple binds, we have the ability to track the last success via the lastbind functionality (pwdLastSuccess attribute). However this doesn't allow one to see when an object that exists in a database last authenticated via SASL.
It would be useful to add similar functionality for SASL binds.
This can be useful information that allows one to tell if an object is being actively authenticated to (generally, users and system accounts, etc). Obviously if something is directly mapped to an identity that doesn't exist in the underlying DB, that cannot be tracked.
https://bugs.openldap.org/show_bug.cgi?id=9881
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | Target Milestone|--- |2.7.0
https://bugs.openldap.org/show_bug.cgi?id=9881
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- On Fri, Jul 08, 2022 at 06:53:01PM +0000, openldap-its@openldap.org wrote:
It would be useful to add similar functionality for SASL binds.
This can be useful information that allows one to tell if an object is being actively authenticated to (generally, users and system accounts, etc). Obviously if something is directly mapped to an identity that doesn't exist in the underlying DB, that cannot be tracked.
Arguably, you might want to track the use of their identity via proxyauthz control in the same way.
A proposal as to how this should be tracked (pwdLastSuccess or a separate attribute?) and whether this should interact with any policy since pwdLastSuccess is used in *password* idle checks and the password might not have been involved here.
https://bugs.openldap.org/show_bug.cgi?id=9881
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |enhancement
https://bugs.openldap.org/show_bug.cgi?id=9881
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- Potentially two new attribute:
* lastAuthC - Direct authentication * lastAuthZ - Proxied authentication
https://bugs.openldap.org/show_bug.cgi?id=9881
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9220
-
openldap-its@openldap.org