On Mon, 2013-09-16 at 08:44 -0400, Rob Crittenden wrote: > Dmitri Pal wrote: > > On 09/13/2013 01:46 PM, Rob Crittenden wrote: > >> Simo Sorce wrote: > >>> On Fri, 2013-09-13 at 10:58 -0400, Rob Crittenden wrote: > >>>> Dmitri Pal wrote: > >>>>> On 09/13/2013 05:16 AM, Marina Moreda wrote: > >>>>>> Hi all, > >>>>>> > >>>>>> I need to add in my LDAP an attribute to save the date of last access > >>>>>> to mail account, or something similar, to know when an user has > >>>>>> stopped using his mail account. I can't find any attribute like this > >>>>>> one. Any suggestions on how I can do this? > >>>>>> > >>>>>> Thanks so much. > >>>>>> > >>>>>> > >>>>>> > >>>>>> _______________________________________________ > >>>>>> Freeipa-users mailing list > >>>>>> Freeipa-users@redhat.com > >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>> > >>>>> I think there are some operational, i.e. "meta" attributes that store > >>>>> information when some attribute was last modified so if there is a way > >>>>> to associate mail activity with a modification of some user attribute > >>>>> then you can check the time stamp of this modification rather than > >>>>> create a separate attribute. With a new attribute the question comes: > >>>>> who, when and how updates it and whether the software you have is > >>>>> capable of doing it? May be software already updates something on > >>>>> every > >>>>> activity for the account and if this is the case then operation > >>>>> attributes would help. > >>>> > >>>> There is no mail-specific activity attribute. I think about the closest > >>>> you could get is last successful Kerberos authentication > >>>> (krblastsuccessfulauth), but again this isn't specific to mail activity > >>>> (unless that is all the users can do). > >>>> > >>>> Note too that this attribute is by default not replicated so if you > >>>> have > >>>> several IPA masters you'd need to check them all. This attribute not > >>>> updated on LDAP binds. > >>> > >>> Rob, > >>> should we open a ticket to update this for plain text binds too ? > >>> > >>> Simo. > >> > >> That's an interesting question. The attribute has krb in it which > >> suggests a kerberos authentication, so I wonder if this would cause > >> other confusion. > > > > Wasn't there an intent not to update data on a successful auth? Only on > > a failure or first time after a failure to clear the counts? > > It certainly seems like an argument I'd make, but I don't recall > specifically.
No, we need to update as it is used to unlock auto-locked accounts. What we decided on was to not propagate any of these operations via replication to avoid huge churn across all of the enterprise. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
