We currently have 18 master ODSEE servers that we use to provide authentication
services to both Redhat, SuSE, and Solaris systems. We are looking to add IPA
We have a requirement to track time of last authentication. With ODSEE, time
of last authentication tracking is enabled with this:
*dsconf set-server-prop pwd-keep-last-auth-time-enabled:on*
Looking at the Redhat DS 9 documentation, I see an account policy plug-in:
cn=Account Policy Plugin,cn=plugins,cn=config
Looking thefreeipa.org <http://freeipa.org> pages on the server plugins, I do
not see the account policy plugin listed.
Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION: 2.156" installed
on Redhat 7, I do see the account policy plugin in the config tree.
Is the use of this account policy plugin supported with IPA? Should it work?
IPA has its own password policy. You can get last successful
authentication via krbLastSuccessfulAuth
Don't let the attribute name mislead you, it is updated on every
Also note that this is per-IPA master. It is not replicated.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project