Full_Name: Jonathan Clarke Version: RE24 OS: URL: ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz Submission from: (NULL) (82.67.204.30) Hi, Please find, at the above URL, an overlay, built for OpenLDAP 2.4, that intercepts successful binds and records the current timestamp in an attribute named "bindTimestamp" in the bound-to entry. It's original use-case is to detect unused accounts. A configuration parameter (olcLastBindPrecision) allows to set a minimum precision for the timestamp (ie, don't update the timestamp unless it's older than <n> seconds). This avoids a performance hit from many unnecessary writes in case there are many binds per minute/hour/day/week/etc. Of course, the behaviour this overlay implements is not described in any RFC, or other. However, it closely resembles some of the functionality from the password policy overlay, and similar functionality already exists in other LDAP servers. I post it here in the hope that it may serve others, and in case the OpenLDAP wishes to include it in one form or another. I would most appreciate any comments or feedback. Regards, Jonathan PS: please note that the OIDs used are not registered, but used temporarily. I do not currently have access to a registered OID to use.
jonathan@phillipoux.net wrote: > Full_Name: Jonathan Clarke > Version: RE24 > OS: > URL: ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz > Submission from: (NULL) (82.67.204.30) > > Please find, at the above URL, an overlay, built for OpenLDAP 2.4, that > intercepts successful binds and records the current timestamp in an attribute > named "bindTimestamp" in the bound-to entry. It's original use-case is to detect > unused accounts. Detecting unused accounts can also somewhat achieved by using slapo-accesslog with configuration directive "logops session". Still I see some value for such an simple overlay. > A configuration parameter (olcLastBindPrecision) allows to set a minimum > precision for the timestamp (ie, don't update the timestamp unless it's older > than <n> seconds). This avoids a performance hit from many unnecessary writes in > case there are many binds per minute/hour/day/week/etc. Things to consider: Is this attribute supposed to be replicated? How about adding configuration paramters so you can specify 1. the attribute type used and 2. the datetime format. This could be handy in situations where you want to mimique the behaviour of other LDAP servers. Ciao, Michael.
moved from Incoming to Contrib
On 30/07/09 13:50, jonathan@phillipoux.net wrote: > Full_Name: Jonathan Clarke > Version: RE24 > OS: > URL: ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz > Submission from: (NULL) (82.67.204.30) > > > Hi, > > Please find, at the above URL, an overlay, built for OpenLDAP 2.4, that > intercepts successful binds and records the current timestamp in an attribute > named "bindTimestamp" in the bound-to entry. It's original use-case is to detect > unused accounts. > > A configuration parameter (olcLastBindPrecision) allows to set a minimum > precision for the timestamp (ie, don't update the timestamp unless it's older > than <n> seconds). This avoids a performance hit from many unnecessary writes in > case there are many binds per minute/hour/day/week/etc. > > Of course, the behaviour this overlay implements is not described in any RFC, or > other. However, it closely resembles some of the functionality from the password > policy overlay, and similar functionality already exists in other LDAP servers. > > I post it here in the hope that it may serve others, and in case the OpenLDAP > wishes to include it in one form or another. I would most appreciate any > comments or feedback. > > Regards, > Jonathan > > PS: please note that the OIDs used are not registered, but used temporarily. I > do not currently have access to a registered OID to use. To respond to an off-list request, I'd like to add an IPR notice to this contribution: The above mentioned files are derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the files were developed by Jonathan Clarke <jonathan@phillipoux.net>. I have not assigned rights and/or interest in this work to any party. Hope this is the right wording... Jonathan
On Dec 10, 2010, at 6:43 AM, jonathan@phillipoux.net wrote: > I'd like to add an IPR notice to this > contribution: I note that you only provide half the notice. A complete notice would be followed by a statement of what license the contribution is provided under. -- Kurt
On 10/12/10 14:53, Kurt Zeilenga wrote: > > On Dec 10, 2010, at 6:43 AM, jonathan@phillipoux.net wrote: > >> I'd like to add an IPR notice to this >> contribution: > > I note that you only provide half the notice. A complete notice would be followed by a statement of what license the contribution is provided under. Ah, the licence is included in the files, but I repeat it here for clarity: * Copyright 2009 Jonathan Clarke <jonathan@phillipoux.net>. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted only as authorized by the OpenLDAP * Public License. * * A copy of this license is available in the file LICENSE in the * top-level directory of the distribution or, alternatively, at * <http://www.OpenLDAP.org/license.html>. Jonathan
jonathan@phillipoux.net wrote: > On 30/07/09 13:50, jonathan@phillipoux.net wrote: >> Full_Name: Jonathan Clarke >> Version: RE24 >> OS: >> URL: ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz >> Submission from: (NULL) (82.67.204.30) >> >> >> Hi, >> >> Please find, at the above URL, an overlay, built for OpenLDAP 2.4, that >> intercepts successful binds and records the current timestamp in an attribute >> named "bindTimestamp" in the bound-to entry. It's original use-case is to detect >> unused accounts. >> >> A configuration parameter (olcLastBindPrecision) allows to set a minimum >> precision for the timestamp (ie, don't update the timestamp unless it's older >> than<n> seconds). This avoids a performance hit from many unnecessary writes in >> case there are many binds per minute/hour/day/week/etc. >> >> Of course, the behaviour this overlay implements is not described in any RFC, or >> other. However, it closely resembles some of the functionality from the password >> policy overlay, and similar functionality already exists in other LDAP servers. There is an equivalent attribute defined in the latest ppolicy draft. Perhaps you could use that. Or just submit a patch to incorporate this feature into the current ppoloicy overlay. >> >> I post it here in the hope that it may serve others, and in case the OpenLDAP >> wishes to include it in one form or another. I would most appreciate any >> comments or feedback. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On 10/12/10 17:14, Howard Chu wrote: > jonathan@phillipoux.net wrote: >> On 30/07/09 13:50, jonathan@phillipoux.net wrote: >>> Full_Name: Jonathan Clarke >>> Version: RE24 >>> OS: >>> URL: >>> ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz >>> Submission from: (NULL) (82.67.204.30) >>> >>> >>> Hi, >>> >>> Please find, at the above URL, an overlay, built for OpenLDAP 2.4, that >>> intercepts successful binds and records the current timestamp in an >>> attribute >>> named "bindTimestamp" in the bound-to entry. It's original use-case >>> is to detect >>> unused accounts. >>> >>> A configuration parameter (olcLastBindPrecision) allows to set a minimum >>> precision for the timestamp (ie, don't update the timestamp unless >>> it's older >>> than<n> seconds). This avoids a performance hit from many >>> unnecessary writes in >>> case there are many binds per minute/hour/day/week/etc. >>> >>> Of course, the behaviour this overlay implements is not described in >>> any RFC, or >>> other. However, it closely resembles some of the functionality from >>> the password >>> policy overlay, and similar functionality already exists in other >>> LDAP servers. > > There is an equivalent attribute defined in the latest ppolicy draft. > Perhaps you could use that. Or just submit a patch to incorporate this > feature into the current ppoloicy overlay. Indeed. At the time I wrote this overlay, I think the ppolicy draft was not yet finished or at least I wasn't aware of it. My client at the time found it useful to just add this simple overlay, without worrying about configuring ppolicy. Since then, I actually haven't had any time to work on this overlay, but today Michael expressed an interest in it, asking for a public IPR notice, thus the "thread revival". I hope to pick it up in the future, and at that point possibly submit a patch for ppolicy also, as you suggest. Regards, Jonathan
On Dec 10, 2010, at 10:37 AM, jonathan@phillipoux.net wrote: > On 10/12/10 17:14, Howard Chu wrote: >> jonathan@phillipoux.net wrote: >>> On 30/07/09 13:50, jonathan@phillipoux.net wrote: >>>> Full_Name: Jonathan Clarke >>>> Version: RE24 >>>> OS: >>>> URL: >>>> ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz >>>> Submission from: (NULL) (82.67.204.30) >>>> >>>> >>>> Hi, >>>> >>>> Please find, at the above URL, an overlay, built for OpenLDAP 2.4, that >>>> intercepts successful binds and records the current timestamp in an >>>> attribute >>>> named "bindTimestamp" in the bound-to entry. It's original use-case >>>> is to detect >>>> unused accounts. >>>> >>>> A configuration parameter (olcLastBindPrecision) allows to set a minimum >>>> precision for the timestamp (ie, don't update the timestamp unless >>>> it's older >>>> than<n> seconds). This avoids a performance hit from many >>>> unnecessary writes in >>>> case there are many binds per minute/hour/day/week/etc. >>>> >>>> Of course, the behaviour this overlay implements is not described in >>>> any RFC, or >>>> other. However, it closely resembles some of the functionality from >>>> the password >>>> policy overlay, and similar functionality already exists in other >>>> LDAP servers. >> >> There is an equivalent attribute defined in the latest ppolicy draft. >> Perhaps you could use that. That attribute is last successful password authentication, not last authentication by any means. For the latter, I suggest a separate attribute. At Isode, we use an authTimestamp dsaOperational attribute for this. It's wise to have the updating of this attribute off by default. >> Or just submit a patch to incorporate this >> feature into the current ppoloicy overlay. > > Indeed. At the time I wrote this overlay, I think the ppolicy draft was > not yet finished or at least I wasn't aware of it. My client at the time > found it useful to just add this simple overlay, without worrying about > configuring ppolicy. > > Since then, I actually haven't had any time to work on this overlay, but > today Michael expressed an interest in it, asking for a public IPR > notice, thus the "thread revival". > > I hope to pick it up in the future, and at that point possibly submit a > patch for ppolicy also, as you suggest. > > Regards, > Jonathan > >
Kurt@OpenLDAP.org wrote: > On Dec 10, 2010, at 10:37 AM, jonathan@phillipoux.net wrote: > >> On 10/12/10 17:14, Howard Chu wrote: >>> jonathan@phillipoux.net wrote: >>>> On 30/07/09 13:50, jonathan@phillipoux.net wrote: >>>>> Full_Name: Jonathan Clarke >>>>> Version: RE24 >>>>> OS: >>>>> URL: >>>>> = > ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz >>>>> Submission from: (NULL) (82.67.204.30) >>>>> =20 >>>>> =20 >>>>> Hi, >>>>> =20 >>>>> Please find, at the above URL, an overlay, built for OpenLDAP 2.4, = > that >>>>> intercepts successful binds and records the current timestamp in an >>>>> attribute >>>>> named "bindTimestamp" in the bound-to entry. It's original use-case >>>>> is to detect >>>>> unused accounts. >>>>> =20 >>>>> A configuration parameter (olcLastBindPrecision) allows to set a = > minimum >>>>> precision for the timestamp (ie, don't update the timestamp unless >>>>> it's older >>>>> than<n> seconds). This avoids a performance hit from many >>>>> unnecessary writes in >>>>> case there are many binds per minute/hour/day/week/etc. >>>>> =20 >>>>> Of course, the behaviour this overlay implements is not described = > in >>>>> any RFC, or >>>>> other. However, it closely resembles some of the functionality from >>>>> the password >>>>> policy overlay, and similar functionality already exists in other >>>>> LDAP servers. >>> =20 >>> There is an equivalent attribute defined in the latest ppolicy draft. >>> Perhaps you could use that. > > That attribute is last successful password authentication, not last = > authentication by any means. > > For the latter, I suggest a separate attribute. At Isode, we use an = > authTimestamp dsaOperational attribute for this. > > It's wise to have the updating of this attribute off by default. Good point. In that case it's probably fine as a separate overlay, the way it is now. Can we use the schema definition that Isode is using? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Dec 10, 2010, at 12:02 PM, Howard Chu wrote: > Good point. In that case it's probably fine as a separate overlay, the way it is now. Can we use the schema definition that Isode is using? Not only yes, but hell yes. Reuse and convergence is a good thing. ( 1.3.6.1.4.1.453.16.2.188 NAME 'authTimestamp' DESC 'last successful authentication using any method/mech' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation ) And we use this attribute in our configuration object to enable/disable (default disabled). ( 1.3.6.1.4.1.453.16.2.189 NAME 'authTimestamps' DESC 'enable recording of last successful authentication using any method/mech' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE USAGE dsaOperation )
Kurt@OpenLDAP.org wrote: > ( 1.3.6.1.4.1.453.16.2.188 NAME 'authTimestamp' > DESC 'last successful authentication using any method/mech' > EQUALITY generalizedTimeMatch > ORDERING generalizedTimeOrderingMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 > SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation ) > > And we use this attribute in our configuration object to enable/disable = > (default disabled). > > ( 1.3.6.1.4.1.453.16.2.189 NAME 'authTimestamps' > DESC 'enable recording of last successful authentication using = > any method/mech' > EQUALITY booleanMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 > SINGLE-VALUE USAGE dsaOperation ) Hmm, isn't NAME of the second a little bit confusing since it sounds like just the plural of the first? Ciao, Michael.
On Dec 10, 2010, at 5:16 PM, Michael Ströder wrote: > Kurt@OpenLDAP.org wrote: >> ( 1.3.6.1.4.1.453.16.2.188 NAME 'authTimestamp' >> DESC 'last successful authentication using any method/mech' >> EQUALITY generalizedTimeMatch >> ORDERING generalizedTimeOrderingMatch >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 >> SINGLE-VALUE NO-USER-MODIFICATION USAGE dsaOperation ) >> >> And we use this attribute in our configuration object to enable/disable = >> (default disabled). >> >> ( 1.3.6.1.4.1.453.16.2.189 NAME 'authTimestamps' >> DESC 'enable recording of last successful authentication using = >> any method/mech' >> EQUALITY booleanMatch >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 >> SINGLE-VALUE USAGE dsaOperation ) > > Hmm, isn't NAME of the second a little bit confusing since it sounds like just > the plural of the first? Names should only be for the wire, the wire doesn't get confused. -- Kurt
Could we have this overlay in contrib/ shipped with 2.4.24? That would be really nice. I've tested it with 2.4.23 and it still seems to work.
changed notes changed state Open to Test
changed notes changed state Test to Release
michael@stroeder.com wrote: > Could we have this overlay in contrib/ shipped with 2.4.24? > That would be really nice. > > I've tested it with 2.4.23 and it still seems to work. Committed with changes in HEAD. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
hyc@symas.com wrote: > michael@stroeder.com wrote: >> Could we have this overlay in contrib/ shipped with 2.4.24? >> That would be really nice. >> >> I've tested it with 2.4.23 and it still seems to work. > > Committed with changes in HEAD. Also in RE24. Thanks a lot! Any objections adding a slightly more complete Makefile (see attachment)? Ciao, Michael.
Michael Ströder wrote: > hyc@symas.com wrote: >> michael@stroeder.com wrote: >>> Could we have this overlay in contrib/ shipped with 2.4.24? >>> That would be really nice. >>> >>> I've tested it with 2.4.23 and it still seems to work. >> >> Committed with changes in HEAD. > > Also in RE24. Thanks a lot! > > Any objections adding a slightly more complete Makefile (see attachment)? Yes, several objections. Post diffs that can be applied by the "patch" command, not the complete file. If you're going to add more rules, make them conform to the standard Makefiles. E.g. the correct macro is "prefix" not "PREFIX". Post diffs that actually work, your "OPT" macro is never referenced anywhere else in the Makefile so it's useless. The default prefix is always /usr/local. You can use whatever prefix you like in your personal copy, but stick with the defaults on anything you submit to us. > Ciao, Michael. > > > Makefile.lastbind > > > # Copyright 2009 Jonathan Clarke<jonathan@phillipoux.net>. > # All rights reserved. > # > # Redistribution and use in source and binary forms, with or without > # modification, are permitted only as authorized by the OpenLDAP > # Public License. > # > # A copy of this license is available in the file LICENSE in the > # top-level directory of the distribution or, alternatively, at > #<http://www.OpenLDAP.org/license.html>. > > PREFIX=/opt/openldap-RE24 > > CPPFLAGS+=-I../../../include -I../../../servers/slapd > CPPFLAGS+=-DSLAPD_OVER_LASTBIND=SLAPD_MOD_DYNAMIC > #LIBTOOL=libtool > LIBTOOL=../../../libtool > OPT=-g -O2 > CC=gcc > > > all: lastbind.la > > lastbind.lo: lastbind.c > $(LIBTOOL) --mode=compile $(CC) $(CPPFLAGS) -Wall -c $? > > lastbind.la: lastbind.lo > $(LIBTOOL) --mode=link $(CC) -version-info 0:0:0 \ > -rpath $(PREFIX)/lib -module -o $@ $? > > clean: > rm -rf lastbind.lo lastbind.la lastbind.o .libs/ > > install: lastbind.la > mkdir -p $(PREFIX)/libexec/openldap > $(LIBTOOL) --mode=install cp lastbind.la $(PREFIX)/libexec/openldap > $(LIBTOOL) --finish $(PREFIX)/libexec/openldap -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Le 05/02/2011 00:37, hyc@symas.com a écrit : > michael@stroeder.com wrote: >> Could we have this overlay in contrib/ shipped with 2.4.24? >> That would be really nice. >> >> I've tested it with 2.4.23 and it still seems to work. > > Committed with changes in HEAD. Howard, Thanks for taking the time to clean this up and commit it. Jonathan -- -------------------------------------------------------------- Jonathan Clarke - jonathan@phillipoux.net -------------------------------------------------------------- Ldap Synchronization Connector (LSC) - http://lsc-project.org --------------------------------------------------------------
changed notes changed state Release to Closed
Howard Chu wrote: > Yes, several objections. Post diffs that can be applied by the "patch" > command, not the complete file. See below. > If you're going to add more rules, make > them conform to the standard Makefiles. E.g. the correct macro is > "prefix" not "PREFIX". Not consequently used in contrib/slapd-modules/. Therefore I didn't know this. Ciao, Michael. Index: Makefile =================================================================== RCS file: /repo/OpenLDAP/pkg/ldap/contrib/slapd-modules/lastbind/Makefile,v retrieving revision 1.2.2.2 diff -u -r1.2.2.2 Makefile --- Makefile 4 Feb 2011 23:39:17 -0000 1.2.2.2 +++ Makefile 15 Feb 2011 14:48:30 -0000 @@ -10,6 +10,8 @@ # top-level directory of the distribution or, alternatively, at # <http://www.OpenLDAP.org/license.html>. +prefix=/usr/local + CPPFLAGS+=-I../../../include -I../../../servers/slapd CPPFLAGS+=-DSLAPD_OVER_LASTBIND=SLAPD_MOD_DYNAMIC #LIBTOOL=libtool @@ -23,7 +25,12 @@ lastbind.la: lastbind.lo $(LIBTOOL) --mode=link $(CC) -version-info 0:0:0 \ - -rpath $(PREFIX)/lib -module -o $@ $? + -rpath $(prefix)/lib -module -o $@ $? clean: rm -rf lastbind.lo lastbind.la lastbind.o .libs/ + +install: lastbind.la + mkdir -p $(prefix)/libexec/openldap + $(LIBTOOL) --mode=install cp lastbind.la $(prefix)/libexec/openldap + $(LIBTOOL) --finish $(prefix)/libexec/openldap
changed notes changed state Closed to Test
updated in HEAD fixed in RE24