On Tue, 2017-05-23 at 13:07 -0400, Chris Apsey via FreeIPA-users wrote:
> All,
>
> We use freeIPA as the LDAP backend for OpenStack Keystone, GitLab, and a
> few other things. We have been looking for a way to keep track of the
> last time a user logged on, and the obvious answer seems to be the
> krbLastSuccessfulAuth attribute. The problem is that this value for all
> users is N/A:
>
> -----------------------
> Account disabled: False
> -----------------------
> Server: {{srv}}
> Failed logins: 0
> Last successful authentication: N/A
> Last failed authentication: N/A
> Time now: 2017-05-23T16:47:49Z
> ----------------------------
> Number of entries returned 1
> ----------------------------
>
> I checked to make sure that the ipaConfigString doesn't contain
> KDC:Disable Last Success. Does krbLastSuccessfulAuth only get updated
> when using kerberized logins? If so, is there a way to track the last
> time a user successfully authenticated via pure LDAP (besides parsing
> logs)?
As the name krbLastSuccessfulAuth implies we update this only on a
successful kerberos login (and I think we do not replicate it by
default, as it would cause a lot of replication overhead).
I think atm parsing logs is the only way, it may be nice to have an RFE
open to track the need to have a consolidated log/queue where we can
emit messages when someone (un)successfully logs in.
Simo.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
