Re: Last bind timestamp?

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Pat Riehecky writes:
> For political reasons I can only ask for one account to be checked for
> validity at a time... could take a few years to filter through them
> all....

OMG - I hope you are talking about checking old accounts, not new ones
as well.

> If there was a way I could store the timestamp of the last successful
> bind by this user in their entry (similarly to lastmod or create date)
> then after a year or three anyone who has no entry would be a candidate
> for further investigation....

The accesslog (record Binds) and ppolicy overlays (record changes, and
expire old passwords).


In the long run, see if you can ensure future accounts get tied to an
person ID from your personnel/student systems if you haven't already.
This lets you push formalities of tracking who people are and who are
responsible for knowing that, from IT staff who commonly have no clue,
to student/employee admin staff who do.

For accounts whose owners can easily prove they are the owner, you
can have a password expiry policy.  Passwords get stolen and cracked,
computers get hacked... you should limit the lifetime of a stolen
password.  Such unused accounts will stand out as a side effect of
password expiry.

On the ldap side, the ppolicy overlay can help.  You need a simple way
for the users set new passwords, and a procedure for users whose
accounts have been locked to get new passwords.  Ask the local sysadmin
and show ID, maybe.  (And have mercy on the people who'll be asked for
new passwords - don't expire 1000 password on the same day.)

-- 
Hallvard