[Date Prev][Date Next]
Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last successful bind
On 10/12/10 17:14, Howard Chu wrote:
> email@example.com wrote:
>> On 30/07/09 13:50, firstname.lastname@example.org wrote:
>>> Full_Name: Jonathan Clarke
>>> Version: RE24
>>> Submission from: (NULL) (188.8.131.52)
>>> Please find, at the above URL, an overlay, built for OpenLDAP 2.4, that
>>> intercepts successful binds and records the current timestamp in an
>>> named "bindTimestamp" in the bound-to entry. It's original use-case
>>> is to detect
>>> unused accounts.
>>> A configuration parameter (olcLastBindPrecision) allows to set a minimum
>>> precision for the timestamp (ie, don't update the timestamp unless
>>> it's older
>>> than<n> seconds). This avoids a performance hit from many
>>> unnecessary writes in
>>> case there are many binds per minute/hour/day/week/etc.
>>> Of course, the behaviour this overlay implements is not described in
>>> any RFC, or
>>> other. However, it closely resembles some of the functionality from
>>> the password
>>> policy overlay, and similar functionality already exists in other
>>> LDAP servers.
> There is an equivalent attribute defined in the latest ppolicy draft.
> Perhaps you could use that. Or just submit a patch to incorporate this
> feature into the current ppoloicy overlay.
Indeed. At the time I wrote this overlay, I think the ppolicy draft was
not yet finished or at least I wasn't aware of it. My client at the time
found it useful to just add this simple overlay, without worrying about
Since then, I actually haven't had any time to work on this overlay, but
today Michael expressed an interest in it, asking for a public IPR
notice, thus the "thread revival".
I hope to pick it up in the future, and at that point possibly submit a
patch for ppolicy also, as you suggest.