Jim Kinney via FreeIPA-users wrote: > Is there a way get the timestamp of when a user account was marked locked? > > I'm trying to show that a locked out user had an existing open > connection before the lockout happened. The next process that ran > through a pam login was properly denied but the screen shot indicates > they were already on a system. > > And, yes, policy change will include the account lock followed by an > aggressive kill -9 of all running process on all nodes.
You're right in that locked means "can no longer authenticate" but it doesn't affect any existing connections. I think of a few ways. 1. The most efficient would be to write a 389-ds plugin to monitor mods such that when this attribute goes to TRUE then trigger something. The downside is you'd have to install and maintain this yourself, and deal with conflicts vs single-point-of-failure. And how/what the trigger is. 2. Write a service that does a persistent LDAP search on nsAccountLock and does...something. 3. Otherwise you're left with scraping logs, either the 389-ds audit log (best, and requires enablement) or the httpd error log (fine for any changes done via the API). rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
