Bob wrote:
We currently have 18 master ODSEE servers that we use to provide authentication 
services to both Redhat, SuSE, and Solaris systems. We are looking to add IPA 
servers to

We have a requirement to track time of last authentication.  With ODSEE, time 
of last authentication tracking is enabled with this:

*dsconf set-server-prop pwd-keep-last-auth-time-enabled:on*

Looking at the Redhat DS 9 documentation, I see an account policy plug-in:

cn=Account Policy Plugin,cn=plugins,cn=config

Looking <>  pages on the server plugins, I do 
not see the account policy plugin listed.

Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION: 2.156" installed 
on Redhat 7, I do see the account policy plugin in the config tree.

Is the use of this account policy plugin supported with IPA? Should it work?

IPA has its own password policy. You can get last successful authentication via krbLastSuccessfulAuth

Don't let the attribute name mislead you, it is updated on every authentication.

Also note that this is per-IPA master. It is not replicated.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to