Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last successful bind

[jonathan@phillipoux.net]

On 10/12/10 17:14, Howard Chu wrote:
> jonathan@phillipoux.net wrote:
>> On 30/07/09 13:50, jonathan@phillipoux.net wrote:
>>> Full_Name: Jonathan Clarke
>>> Version: RE24
>>> OS:
>>> URL:
>>> ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz
>>> Submission from: (NULL) (82.67.204.30)
>>>
>>>
>>> Hi,
>>>
>>> Please find, at the above URL, an overlay, built for OpenLDAP 2.4, that
>>> intercepts successful binds and records the current timestamp in an
>>> attribute
>>> named "bindTimestamp" in the bound-to entry. It's original use-case
>>> is to detect
>>> unused accounts.
>>>
>>> A configuration parameter (olcLastBindPrecision) allows to set a minimum
>>> precision for the timestamp (ie, don't update the timestamp unless
>>> it's older
>>> than<n>  seconds). This avoids a performance hit from many
>>> unnecessary writes in
>>> case there are many binds per minute/hour/day/week/etc.
>>>
>>> Of course, the behaviour this overlay implements is not described in
>>> any RFC, or
>>> other. However, it closely resembles some of the functionality from
>>> the password
>>> policy overlay, and similar functionality already exists in other
>>> LDAP servers.
> 
> There is an equivalent attribute defined in the latest ppolicy draft.
> Perhaps you could use that. Or just submit a patch to incorporate this
> feature into the current ppoloicy overlay.

Indeed. At the time I wrote this overlay, I think the ppolicy draft was
not yet finished or at least I wasn't aware of it. My client at the time
found it useful to just add this simple overlay, without worrying about
configuring ppolicy.

Since then, I actually haven't had any time to work on this overlay, but
today Michael expressed an interest in it, asking for a public IPR
notice, thus the "thread revival".

I hope to pick it up in the future, and at that point possibly submit a
patch for ppolicy also, as you suggest.

Regards,
Jonathan