[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Record last bind info?

Le 07/04/2010 01:02, Erich Weiler a écrit :
Hi All,

My task at hand is to somehow record when a user last logged on to any
of our systems, which all authenticate against OpenLDAP.

Now, I've browsed the mailing lists and some folks have suggested using
the accesslog backend, and only have it log 'binds', and thus I can
later look back at the log DB and see when folks logged in last.

While this seems to work, what concerns me is that it makes a log entry
every time someone binds, so the log gets large fairly quickly, as well
as load the server a bit because of all the write activity to the log DB
(we have a large network with lots and lots of binds all the time). I
saw that the accesslog backend has a 'logpurge' directive, but indeed I
would like to only purge log entries older than a year, so the log DB
will still get quite large.

I was wondering if anyone knew a way to perhaps have it "log an entry,
but only log it if there is already not a pre-existing entry of not more
than X days old" or something like that for the uid in question...? Or
maybe even something such that it logs a new entry and automatically
purges all other older entries that match the same uid?

Or even a better way?

Thanks for any thoughts/insight!


I had the exact same requirement, and wrote an overlay to do this. It stores the time of last successful bind in an attribute in the user's entry.

It can be configured to only update this attribute if the last value is older than a given time, to avoid excessive writes if all you need to know is "has this user logged on this month?".

You can find it here:

Hope this helps,
Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org