[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Automatic Account Deactivation?

Thanks for the reply. That's exactly what we're trying to do, disable rather than delete. The plan is to have some sort of check for the number of days since last login and then send out an email to our Operators when it's hit 60 and then 90 days without a login. At that point it should either be disabled automatically, or an Operator should do it manually. This is mainly due to security risks with email accounts. Our email system is tied into the LDAP so I want to check the last LDAP authentication. The part I'm getting stuck on is exactly how to keep track of the last login for a user. Do you have any tips about this?

Aharon Verno
Berklee College of Music

On Jun 30, 2007, at 12:41 PM, Pierangelo Masarati wrote:

Dieter Kluenter wrote:
"Aharon Verno" <averno@berklee.edu> writes:

I was wondering if there was a way to automatically disable an account that
hasn’t been logged into for a period of time? We use OpenLDAP to give
entitlements for our email system and we would love a way to automatically
shutdown accounts that haven’t been authenticated to in X days. Thanks for any
help with this.

Depending on the number of entries in question and the time to live of
this objects you may want to have a look at slapo-dds(5).
You could probably create a dynamic object as soon as a user logs in,
and allow a given ttl or some similar strategy,

This would __delete__ the account; furthermore, you'd need to setup
something to "touch" the TTL any time the account is used. I think
something dedicated should rather been implemented, which logs the time
of a login and, periodically, checks if any account needs to be disabled
(e.g. inhibit logging, not remove the entry). It shouldn't be too


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it