Bob wrote:
If each IPA server tracks time of last auth independently, then one ipa
server might disable an inactive account. But that account might be
active on another servers. In a fail over case where the server that
that account normally uses is down, the user would not have a usable
account.

Is it possible to use the account policy plugin?  Or is there a way to
track time of last auth that is replicated.  I need to have accounts
that have been inactive for 90 days automatically disabled.

You can't use the account policy plugin but it isn't aware of Kerberos so it would miss potentially a lot of authentications.

You could modify replication agreements to not ignore this attribute but you potentially create a replication "storm", particularly early morning when everyone logs in at the same time.

In any case IPA password policy doesn't currently handle inactivity. There is a ticket open: https://fedorahosted.org/freeipa/ticket/4975 (with a potential short-term workaround).

rob


On Mon, Mar 21, 2016 at 11:22 AM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Bob wrote:

        We currently have 18 master ODSEE servers that we use to provide
        authentication services to both Redhat, SuSE, and Solaris
        systems. We are looking to add IPA servers to
        environment.

        We have a requirement to track time of last authentication.
        With ODSEE, time of last authentication tracking is enabled with
        this:

        *dsconf set-server-prop pwd-keep-last-auth-time-enabled:on*


        Looking at the Redhat DS 9 documentation, I see an account
        policy plug-in:


        cn=Account Policy Plugin,cn=plugins,cn=config

        Looking thefreeipa.org <http://thefreeipa.org>
        <http://freeipa.org>  pages on the server plugins, I do not see
        the account policy plugin listed.
        http://www.freeipa.org/page/Directory_Server

        Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION:
        2.156" installed on Redhat 7, I do see the account policy plugin
        in the config tree.


        Is the use of this account policy plugin supported with IPA?
        Should it work?


    IPA has its own password policy. You can get last successful
    authentication via krbLastSuccessfulAuth

    Don't let the attribute name mislead you, it is updated on every
    authentication.

    Also note that this is per-IPA master. It is not replicated.

    rob





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to