If each IPA server tracks time of last auth independently, then one ipa server might disable an inactive account. But that account might be active on another servers. In a fail over case where the server that that account normally uses is down, the user would not have a usable account.
Is it possible to use the account policy plugin? Or is there a way to track time of last auth that is replicated. I need to have accounts that have been inactive for 90 days automatically disabled. On Mon, Mar 21, 2016 at 11:22 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Bob wrote: > >> We currently have 18 master ODSEE servers that we use to provide >> authentication services to both Redhat, SuSE, and Solaris systems. We are >> looking to add IPA servers to >> environment. >> >> We have a requirement to track time of last authentication. With ODSEE, >> time of last authentication tracking is enabled with this: >> >> *dsconf set-server-prop pwd-keep-last-auth-time-enabled:on* >> >> >> Looking at the Redhat DS 9 documentation, I see an account policy plug-in: >> >> >> cn=Account Policy Plugin,cn=plugins,cn=config >> >> Looking thefreeipa.org <http://freeipa.org> pages on the server >> plugins, I do not see the account policy plugin listed. >> http://www.freeipa.org/page/Directory_Server >> >> Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION: 2.156" >> installed on Redhat 7, I do see the account policy plugin in the config >> tree. >> >> >> Is the use of this account policy plugin supported with IPA? Should it >> work? >> > > IPA has its own password policy. You can get last successful > authentication via krbLastSuccessfulAuth > > Don't let the attribute name mislead you, it is updated on every > authentication. > > Also note that this is per-IPA master. It is not replicated. > > rob > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project