We use freeIPA as the LDAP backend for OpenStack Keystone, GitLab, and a few other things. We have been looking for a way to keep track of the last time a user logged on, and the obvious answer seems to be the krbLastSuccessfulAuth attribute. The problem is that this value for all users is N/A:

Account disabled: False
  Server: {{srv}}
  Failed logins: 0
  Last successful authentication: N/A
  Last failed authentication: N/A
  Time now: 2017-05-23T16:47:49Z
Number of entries returned 1

I checked to make sure that the ipaConfigString doesn't contain KDC:Disable Last Success. Does krbLastSuccessfulAuth only get updated when using kerberized logins? If so, is there a way to track the last time a user successfully authenticated via pure LDAP (besides parsing logs)?

Thanks in advance,


Chris Apsey
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to