If each IPA server tracks time of last auth independently, then one ipa
server might disable an inactive account. But that account might be
active on another servers. In a fail over case where the server that
that account normally uses is down, the user would not have a usable
Is it possible to use the account policy plugin? Or is there a way to
track time of last auth that is replicated. I need to have accounts
that have been inactive for 90 days automatically disabled.
You can't use the account policy plugin but it isn't aware of Kerberos
so it would miss potentially a lot of authentications.
You could modify replication agreements to not ignore this attribute but
you potentially create a replication "storm", particularly early morning
when everyone logs in at the same time.
In any case IPA password policy doesn't currently handle inactivity.
There is a ticket open: https://fedorahosted.org/freeipa/ticket/4975
(with a potential short-term workaround).
On Mon, Mar 21, 2016 at 11:22 AM, Rob Crittenden <rcrit...@redhat.com
We currently have 18 master ODSEE servers that we use to provide
authentication services to both Redhat, SuSE, and Solaris
systems. We are looking to add IPA servers to
We have a requirement to track time of last authentication.
With ODSEE, time of last authentication tracking is enabled with
*dsconf set-server-prop pwd-keep-last-auth-time-enabled:on*
Looking at the Redhat DS 9 documentation, I see an account
cn=Account Policy Plugin,cn=plugins,cn=config
Looking thefreeipa.org <http://thefreeipa.org>
<http://freeipa.org> pages on the server plugins, I do not see
the account policy plugin listed.
Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION:
2.156" installed on Redhat 7, I do see the account policy plugin
in the config tree.
Is the use of this account policy plugin supported with IPA?
Should it work?
IPA has its own password policy. You can get last successful
authentication via krbLastSuccessfulAuth
Don't let the attribute name mislead you, it is updated on every
Also note that this is per-IPA master. It is not replicated.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project