Felip Moll wrote:
But in the second one, the audit people imposed us to have a control of which accounts were not being used in the last year, and to delete/backup/etc them if it were the case.
You might wanna use slapo-lastbind in contrib/ for this. This maintains an operational attribute 'authTimestamp' in the user entry which records the last bind time. Unfortunately this seems to only work for LDAP simple binds. With SASL bind the attribute is not updated.
The fact is that I searched for ways of gathering statistics of account usage. The alternatives that I found were:
First, save the statistics in 2 attributes in each user: lastBind, failedBinds.
Attribute 'pwdFailureTime' is already maintained by slapo-ppolicy. The count of attribute values is the number of password failures.
- Act on the LDAP server and activate the "overlay accesslog" funcionality.
In this case, monitor every bind operation, then create a daemon that reads every X time the LDAP accesslog tree and process it.
Yes, this is another option but depending on your deployment the accesslog DB will grow very large very soon if you log all binds.
Ciao, Michael.