On 03/03/2015 04:34 PM, Dmitri Pal wrote:
> On 03/03/2015 07:22 AM, Martin Kosek wrote:
>> On 03/03/2015 05:38 AM, Jason Prouty wrote:
>>>
>>> Is there a method to auto disable users who have logged in 90 days.
>>> I have a security requirement to auto disable users who have not logged in
>>> after 90 days.
>>>
>> There is no such facility implemented in vanilla FreeIPA. I think there was
>> another user request, but I could not find any Bugzilla or Trac ticket.
>>
>> I see 3 options how to do what you propose:
>>
>> 1) Implement a cron script that will LDAP search for such users and disable
>> them when the account is inactive for too long (based on 
>> krblastsuccessfulauth).
> 
> Yes this is probably the most recommended approach.
> You do an ldap search on all the accounts that have krblastsuccessfulauth more
> than 90 days ago and then disable them one by one.
> Should be a very simple script to write.

Yup, I just did a very simple test, to prove the point:

1) I have 2 users, with different successful log auth:

# ipa user-find --all --raw | grep -iE "(dn:|krbLastSuccessfulAuth)"
  dn: uid=admin,cn=users,cn=accounts,dc=f21
  krbLastSuccessfulAuth: 20150303155003Z
  dn: uid=fbar,cn=users,cn=accounts,dc=f21
  krbLastSuccessfulAuth: 20150223114040Z

2) Now I search for acrtive users that did not log after March 1st:

# ldapsearch -Y GSSAPI -b "cn=users,cn=accounts,dc=f21"
"(&(!(nsaccountlock=TRUE))(krbLastSuccessfulAuth<=20150301000000Z))" dn
krbLastSuccessfulAuth nsaccountlock
SASL/GSSAPI authentication started
SASL username: admin@F21
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=users,cn=accounts,dc=f21> with scope subtree
# filter: (&(!(nsaccountlock=TRUE))(krbLastSuccessfulAuth<=20150301000000Z))
# requesting: dn krbLastSuccessfulAuth nsaccountlock
#

# fbar, users, accounts, f21
dn: uid=fbar,cn=users,cn=accounts,dc=f21
krbLastSuccessfulAuth: 20150223114040Z

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1


3) I disable such user:

# ipa user-disable fbar
----------------------------
Disabled user account "fbar"
----------------------------

4) Next search:

# ldapsearch -Y GSSAPI -b "cn=users,cn=accounts,dc=f21"
"(&(!(nsaccountlock=TRUE))(krbLastSuccessfulAuth<=20150301000000Z))" dn
krbLastSuccessfulAuth nsaccountlock
SASL/GSSAPI authentication started
SASL username: admin@F21
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=users,cn=accounts,dc=f21> with scope subtree
# filter: (&(!(nsaccountlock=TRUE))(krbLastSuccessfulAuth<=20150301000000Z))
# requesting: dn krbLastSuccessfulAuth nsaccountlock
#

# search result
search: 4
result: 0 Success

# numResponses: 1

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to