[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last successful bind
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6238) contrib: lastbind overlay to record timestamp of last successful bind
- From: hyc@symas.com
- Date: Fri, 10 Dec 2010 20:03:02 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Kurt@OpenLDAP.org wrote:
> On Dec 10, 2010, at 10:37 AM, jonathan@phillipoux.net wrote:
>
>> On 10/12/10 17:14, Howard Chu wrote:
>>> jonathan@phillipoux.net wrote:
>>>> On 30/07/09 13:50, jonathan@phillipoux.net wrote:
>>>>> Full_Name: Jonathan Clarke
>>>>> Version: RE24
>>>>> OS:
>>>>> URL:
>>>>> =
> ftp://ftp.openldap.org/incoming/jonathan-clarke-lastbind-20090730.tgz
>>>>> Submission from: (NULL) (82.67.204.30)
>>>>> =20
>>>>> =20
>>>>> Hi,
>>>>> =20
>>>>> Please find, at the above URL, an overlay, built for OpenLDAP 2.4, =
> that
>>>>> intercepts successful binds and records the current timestamp in an
>>>>> attribute
>>>>> named "bindTimestamp" in the bound-to entry. It's original use-case
>>>>> is to detect
>>>>> unused accounts.
>>>>> =20
>>>>> A configuration parameter (olcLastBindPrecision) allows to set a =
> minimum
>>>>> precision for the timestamp (ie, don't update the timestamp unless
>>>>> it's older
>>>>> than<n> seconds). This avoids a performance hit from many
>>>>> unnecessary writes in
>>>>> case there are many binds per minute/hour/day/week/etc.
>>>>> =20
>>>>> Of course, the behaviour this overlay implements is not described =
> in
>>>>> any RFC, or
>>>>> other. However, it closely resembles some of the functionality from
>>>>> the password
>>>>> policy overlay, and similar functionality already exists in other
>>>>> LDAP servers.
>>> =20
>>> There is an equivalent attribute defined in the latest ppolicy draft.
>>> Perhaps you could use that.
>
> That attribute is last successful password authentication, not last =
> authentication by any means.
>
> For the latter, I suggest a separate attribute. At Isode, we use an =
> authTimestamp dsaOperational attribute for this.
>
> It's wise to have the updating of this attribute off by default.
Good point. In that case it's probably fine as a separate overlay, the way it
is now. Can we use the schema definition that Isode is using?
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/