HI. For PCI DSS compliance I need to be able to disable users not logged in for X amount of days (I think its 90).
I was going to create a script which checks last login time (I have a similar one for expired passwords), however I cannot find a way of doing so.. I have searched for info and found I should be able to get the info from the krbLastSuccessfulAuth value using # ipa user-find --all --raw But that field is not there. Also seen I can use # ipa user-status user But the value always shows ' Last successful authentication: N/A' Also seen using ldapsearch # ldapsearch -x -D "cn=Directory Manager" -W uid=serviceuser And the value is also missing. Reading about this is seems the value is cancelled when using replicas - is that right ? How can I perform what I need to - i.e how to check last login time for a user from the IPA servers (not on a per ipa client basis) ? Or is there a different way to disable in-active users ? _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
