[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last successful bind

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last successful bind
From: Kurt@OpenLDAP.org
Date: Fri, 10 Dec 2010 18:58:24 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Dec 10, 2010, at 10:37 AM, jonathan@phillipoux.net wrote:

> On 10/12/10 17:14, Howard Chu wrote:
>> jonathan@phillipoux.net wrote:
>>> On 30/07/09 13:50, jonathan@phillipoux.net wrote:
>>>> Full_Name: Jonathan Clarke
>>>> Version: RE24
>>>> OS:
>>>> URL:
>>>> =
ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz
>>>> Submission from: (NULL) (82.67.204.30)
>>>>=20
>>>>=20
>>>> Hi,
>>>>=20
>>>> Please find, at the above URL, an overlay, built for OpenLDAP 2.4, =
that
>>>> intercepts successful binds and records the current timestamp in an
>>>> attribute
>>>> named "bindTimestamp" in the bound-to entry. It's original use-case
>>>> is to detect
>>>> unused accounts.
>>>>=20
>>>> A configuration parameter (olcLastBindPrecision) allows to set a =
minimum
>>>> precision for the timestamp (ie, don't update the timestamp unless
>>>> it's older
>>>> than<n>  seconds). This avoids a performance hit from many
>>>> unnecessary writes in
>>>> case there are many binds per minute/hour/day/week/etc.
>>>>=20
>>>> Of course, the behaviour this overlay implements is not described =
in
>>>> any RFC, or
>>>> other. However, it closely resembles some of the functionality from
>>>> the password
>>>> policy overlay, and similar functionality already exists in other
>>>> LDAP servers.
>>=20
>> There is an equivalent attribute defined in the latest ppolicy draft.
>> Perhaps you could use that.

That attribute is last successful password authentication, not last =
authentication by any means.

For the latter, I suggest a separate attribute.  At Isode, we use an =
authTimestamp dsaOperational attribute for this.

It's wise to have the updating of this attribute off by default.

>> Or just submit a patch to incorporate this
>> feature into the current ppoloicy overlay.
>=20
> Indeed. At the time I wrote this overlay, I think the ppolicy draft =
was
> not yet finished or at least I wasn't aware of it. My client at the =
time
> found it useful to just add this simple overlay, without worrying =
about
> configuring ppolicy.
>=20
> Since then, I actually haven't had any time to work on this overlay, =
but
> today Michael expressed an interest in it, asking for a public IPR
> notice, thus the "thread revival".
>=20
> I hope to pick it up in the future, and at that point possibly submit =
a
> patch for ppolicy also, as you suggest.
>=20
> Regards,
> Jonathan
>=20
>=20

Prev by Date: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last successful bind
Next by Date: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last successful bind
Index(es):
- Chronological
- Thread