Bob wrote:
If each IPA server tracks time of last auth independently, then one ipa
server might disable an inactive account. But that account might be
active on another servers. In a fail over case where the server that
that account normally uses is down, the user would not have a usable

Is it possible to use the account policy plugin?  Or is there a way to
track time of last auth that is replicated.  I need to have accounts
that have been inactive for 90 days automatically disabled.

You can't use the account policy plugin but it isn't aware of Kerberos so it would miss potentially a lot of authentications.

You could modify replication agreements to not ignore this attribute but you potentially create a replication "storm", particularly early morning when everyone logs in at the same time.

In any case IPA password policy doesn't currently handle inactivity. There is a ticket open: (with a potential short-term workaround).


On Mon, Mar 21, 2016 at 11:22 AM, Rob Crittenden <
<>> wrote:

    Bob wrote:

        We currently have 18 master ODSEE servers that we use to provide
        authentication services to both Redhat, SuSE, and Solaris
        systems. We are looking to add IPA servers to

        We have a requirement to track time of last authentication.
        With ODSEE, time of last authentication tracking is enabled with

        *dsconf set-server-prop pwd-keep-last-auth-time-enabled:on*

        Looking at the Redhat DS 9 documentation, I see an account
        policy plug-in:

        cn=Account Policy Plugin,cn=plugins,cn=config

        Looking <>
        <>  pages on the server plugins, I do not see
        the account policy plugin listed.

        Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION:
        2.156" installed on Redhat 7, I do see the account policy plugin
        in the config tree.

        Is the use of this account policy plugin supported with IPA?
        Should it work?

    IPA has its own password policy. You can get last successful
    authentication via krbLastSuccessfulAuth

    Don't let the attribute name mislead you, it is updated on every

    Also note that this is per-IPA master. It is not replicated.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to