Oh, now that is interesting. What is the name of that overlay?
Anyway, another option is to use your central logging host (you do have
one, right? ;-) to monitor logins and update a table somewhere with that
information. You can then do a nightly batch update against your expired
accounts in LDAP and set a value such as accountActive to No. If you
don't support an extended attribute like accountActive (or whatever you
name it), then you can also scramble the password.
So, yes, a central logging host would be helpful here. :)
--
Puryear IT, LLC
Identity Management, Directory Services, Systems Integration
Baton Rouge, LA * 225-706-8414 *
http://www.puryear-it.com
"Best Practices for Managing Linux and UNIX Servers"
http://www.puryear-it.com/pubs/linux-unix-best-practices
Pierangelo Masarati wrote:
Aharon Verno wrote:
> Thanks for the reply. That's exactly what we're trying to do, disable
> rather than delete. The plan is to have some sort of check for the
> number of days since last login and then send out an email to our
> Operators when it's hit 60 and then 90 days without a login. At that
> point it should either be disabled automatically, or an Operator
> should do it manually. This is mainly due to security risks with
> email accounts. Our email system is tied into the LDAP so I want to
> check the last LDAP authentication. The part I'm getting stuck on is
> exactly how to keep track of the last login for a user. Do you have
> any tips about this?
we developed an overlay that adds an operational attribute that keeps
count of the last (successful/unsuccessful) login attempt of a user. The
key issue is (loose) replication; the value is logged separately by the
provider and by the consumers, and a batch process syncs it
periodically. In case of a sync error (e.g. one logs during a sync),
the worst case is that the counter gets out of date by a sync period,
which is usually much shorter than any critical time (in your case,
60/90 days). This algorithm hasn't been specified yet for syncrepl,
although it shouldn't be an issue.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------