If each IPA server tracks time of last auth independently, then one ipa
server might disable an inactive account. But that account might be active
on another servers. In a fail over case where the server that that account
normally uses is down, the user would not have a usable account.

Is it possible to use the account policy plugin?  Or is there a way to
track time of last auth that is replicated.  I need to have accounts that
have been inactive for 90 days automatically disabled.

On Mon, Mar 21, 2016 at 11:22 AM, Rob Crittenden <rcrit...@redhat.com>
wrote:

> Bob wrote:
>
>> We currently have 18 master ODSEE servers that we use to provide
>> authentication services to both Redhat, SuSE, and Solaris systems. We are
>> looking to add IPA servers to
>> environment.
>>
>> We have a requirement to track time of last authentication.  With ODSEE,
>> time of last authentication tracking is enabled with this:
>>
>> *dsconf set-server-prop pwd-keep-last-auth-time-enabled:on*
>>
>>
>> Looking at the Redhat DS 9 documentation, I see an account policy plug-in:
>>
>>
>> cn=Account Policy Plugin,cn=plugins,cn=config
>>
>> Looking thefreeipa.org <http://freeipa.org>  pages on the server
>> plugins, I do not see the account policy plugin listed.
>> http://www.freeipa.org/page/Directory_Server
>>
>> Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION: 2.156"
>> installed on Redhat 7, I do see the account policy plugin in the config
>> tree.
>>
>>
>> Is the use of this account policy plugin supported with IPA? Should it
>> work?
>>
>
> IPA has its own password policy. You can get last successful
> authentication via krbLastSuccessfulAuth
>
> Don't let the attribute name mislead you, it is updated on every
> authentication.
>
> Also note that this is per-IPA master. It is not replicated.
>
> rob
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to