10:55 a.m.
I was wondering if there was a way to automatically disable an account that
hasn't been logged into for a period of time? We use OpenLDAP to give
entitlements for our email system and we would love a way to automatically
shutdown accounts that haven't been authenticated to in X days. Thanks for
any help with this.
9:21 a.m.
"Aharon Verno" <averno(a)berklee.edu> writes:
I was wondering if there was a way to automatically disable an
account that
hasn’t been logged into for a period of time? We use OpenLDAP to give
entitlements for our email system and we would love a way to automatically
shutdown accounts that haven’t been authenticated to in X days. Thanks for any
help with this.
Depending on the number of entries in question and the time to live of
this objects you may want to have a look at slapo-dds(5).
You could probably create a dynamic object as soon as a user logs in,
and allow a given ttl or some similar strategy,
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
9:41 a.m.
Dieter Kluenter wrote:
"Aharon Verno" <averno(a)berklee.edu> writes:
> I was wondering if there was a way to automatically disable an account that
> hasn’t been logged into for a period of time? We use OpenLDAP to give
> entitlements for our email system and we would love a way to automatically
> shutdown accounts that haven’t been authenticated to in X days. Thanks for any
> help with this.
Depending on the number of entries in question and the time to live of
this objects you may want to have a look at slapo-dds(5).
You could probably create a dynamic object as soon as a user logs in,
and allow a given ttl or some similar strategy,
This would __delete__ the account; furthermore, you'd need to setup
something to "touch" the TTL any time the account is used. I think
something dedicated should rather been implemented, which logs the time
of a login and, periodically, checks if any account needs to be disabled
(e.g. inhibit logging, not remove the entry). It shouldn't be too
difficult.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
7:24 a.m.
Thanks for the reply. That's exactly what we're trying to do,
disable rather than delete. The plan is to have some sort of check
for the number of days since last login and then send out an email to
our Operators when it's hit 60 and then 90 days without a login. At
that point it should either be disabled automatically, or an Operator
should do it manually. This is mainly due to security risks with
email accounts. Our email system is tied into the LDAP so I want to
check the last LDAP authentication. The part I'm getting stuck on is
exactly how to keep track of the last login for a user. Do you have
any tips about this?
Aharon Verno
Berklee College of Music
617-747-2629
On Jun 30, 2007, at 12:41 PM, Pierangelo Masarati wrote:
Dieter Kluenter wrote:
> "Aharon Verno" <averno(a)berklee.edu> writes:
>
>> I was wondering if there was a way to automatically disable an
>> account that
>> hasn’t been logged into for a period of time? We use OpenLDAP
>> to give
>> entitlements for our email system and we would love a way to
>> automatically
>> shutdown accounts that haven’t been authenticated to in X
>> days. Thanks for any
>> help with this.
>
> Depending on the number of entries in question and the time to
> live of
> this objects you may want to have a look at slapo-dds(5).
> You could probably create a dynamic object as soon as a user logs in,
> and allow a given ttl or some similar strategy,
This would __delete__ the account; furthermore, you'd need to setup
something to "touch" the TTL any time the account is used. I think
something dedicated should rather been implemented, which logs the
time
of a login and, periodically, checks if any account needs to be
disabled
(e.g. inhibit logging, not remove the entry). It shouldn't be too
difficult.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
9:07 a.m.
Aharon Verno wrote:
Thanks for the reply. That's exactly what we're trying to
do, disable
rather than delete. The plan is to have some sort of check for the
number of days since last login and then send out an email to our
Operators when it's hit 60 and then 90 days without a login. At that
point it should either be disabled automatically, or an Operator should
do it manually. This is mainly due to security risks with email
accounts. Our email system is tied into the LDAP so I want to check the
last LDAP authentication. The part I'm getting stuck on is exactly how
to keep track of the last login for a user. Do you have any tips about
this?
we developed an overlay that adds an operational attribute that keeps
count of the last (successful/unsuccessful) login attempt of a user.
The key issue is (loose) replication; the value is logged separately by
the provider and by the consumers, and a batch process syncs it
periodically. In case of a sync error (e.g. one logs during a sync),
the worst case is that the counter gets out of date by a sync period,
which is usually much shorter than any critical time (in your case,
60/90 days). This algorithm hasn't been specified yet for syncrepl,
although it shouldn't be an issue.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
7:17 a.m.
Oh, now that is interesting. What is the name of that overlay?
Anyway, another option is to use your central logging host (you do have
one, right? ;-) to monitor logins and update a table somewhere with that
information. You can then do a nightly batch update against your expired
accounts in LDAP and set a value such as accountActive to No. If you
don't support an extended attribute like accountActive (or whatever you
name it), then you can also scramble the password.
So, yes, a central logging host would be helpful here. :)
--
Puryear IT, LLC
Identity Management, Directory Services, Systems Integration
Baton Rouge, LA * 225-706-8414 * http://www.puryear-it.com
"Best Practices for Managing Linux and UNIX Servers"
http://www.puryear-it.com/pubs/linux-unix-best-practices
Pierangelo Masarati wrote:
Aharon Verno wrote:
> Thanks for the reply. That's exactly what we're trying to do, disable
> rather than delete. The plan is to have some sort of check for the
> number of days since last login and then send out an email to our
> Operators when it's hit 60 and then 90 days without a login. At that
> point it should either be disabled automatically, or an Operator
> should do it manually. This is mainly due to security risks with
> email accounts. Our email system is tied into the LDAP so I want to
> check the last LDAP authentication. The part I'm getting stuck on is
> exactly how to keep track of the last login for a user. Do you have
> any tips about this?
we developed an overlay that adds an operational attribute that keeps
count of the last (successful/unsuccessful) login attempt of a user. The
key issue is (loose) replication; the value is logged separately by the
provider and by the consumers, and a batch process syncs it
periodically. In case of a sync error (e.g. one logs during a sync),
the worst case is that the counter gets out of date by a sync period,
which is usually much shorter than any critical time (in your case,
60/90 days). This algorithm hasn't been specified yet for syncrepl,
although it shouldn't be an issue.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
5516
days inactive
5530
days old
openldap-software@openldap.org
5 comments
4 participants
participants (4)
-
Aharon Verno -
Dieter Kluenter -
Dustin Puryear -
Pierangelo Masarati