Re: [Freeipa-users] Date of last access attribute
On 17/09/13 10:38, Petr Spacek wrote: Interesting idea, but it needs careful design not to omit any possible case. Please create RFE ticket (request for enhancement): https://fedorahosted.org/freeipa/newticket You will need an Fedora Account, please follow this: https://fedoraproject.org/wiki/Account_System/NewAccount Workaround for now is to read attributes krbLastSuccessfulAuth & lastLoginTime from all replicas and use highest value. Simple script with ldapsearch could work. I created the ticket: https://fedorahosted.org/freeipa/ticket/3933 Best regards. -- Arturo Borrero González Departamento de Seguridad Informática (n...@cica.es) Centro Informático Científico de Andalucía (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejería de Economía, Innovación, Ciencia y Empleo Junta de Andalucía smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Date of last access attribute
On 17.9.2013 09:18, Arturo Borrero wrote: On 16/09/13 15:35, Simo Sorce wrote: No, we need to update as it is used to unlock auto-locked accounts. What we decided on was to not propagate any of these operations via replication to avoid huge churn across all of the enterprise. Simo. The underlying issue is: with a large scale userbase, some method is needed to know about inactive user accounts. Users that don't send/recv mails, users that don't bind/kinit, whatever.. * some kind of attribute is needed to store when was the last activity. * activity would mean a kerberos auth or ldap bind, or an attribute modification. * this last time info needs to be replicated. This way, a policy like 'purge accounts inactive by 1 year' can be implemented. Or even get a sorted list of user by inactivity time. I think this is a very nice functionality that FreeIPA should have. Interesting idea, but it needs careful design not to omit any possible case. Please create RFE ticket (request for enhancement): https://fedorahosted.org/freeipa/newticket You will need an Fedora Account, please follow this: https://fedoraproject.org/wiki/Account_System/NewAccount Workaround for now is to read attributes krbLastSuccessfulAuth & lastLoginTime from all replicas and use highest value. Simple script with ldapsearch could work. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Date of last access attribute
On 16/09/13 15:35, Simo Sorce wrote: No, we need to update as it is used to unlock auto-locked accounts. What we decided on was to not propagate any of these operations via replication to avoid huge churn across all of the enterprise. Simo. The underlying issue is: with a large scale userbase, some method is needed to know about inactive user accounts. Users that don't send/recv mails, users that don't bind/kinit, whatever.. * some kind of attribute is needed to store when was the last activity. * activity would mean a kerberos auth or ldap bind, or an attribute modification. * this last time info needs to be replicated. This way, a policy like 'purge accounts inactive by 1 year' can be implemented. Or even get a sorted list of user by inactivity time. I think this is a very nice functionality that FreeIPA should have. Best regards. -- Arturo Borrero González Departamento de Seguridad Informática (n...@cica.es) Centro Informático Científico de Andalucía (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejería de Economía, Innovación, Ciencia y Empleo Junta de Andalucía smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Date of last access attribute
On Mon, 2013-09-16 at 08:44 -0400, Rob Crittenden wrote: > Dmitri Pal wrote: > > On 09/13/2013 01:46 PM, Rob Crittenden wrote: > >> Simo Sorce wrote: > >>> On Fri, 2013-09-13 at 10:58 -0400, Rob Crittenden wrote: > Dmitri Pal wrote: > > On 09/13/2013 05:16 AM, Marina Moreda wrote: > >> Hi all, > >> > >> I need to add in my LDAP an attribute to save the date of last access > >> to mail account, or something similar, to know when an user has > >> stopped using his mail account. I can't find any attribute like this > >> one. Any suggestions on how I can do this? > >> > >> Thanks so much. > >> > >> > >> > >> ___ > >> Freeipa-users mailing list > >> Freeipa-users@redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > I think there are some operational, i.e. "meta" attributes that store > > information when some attribute was last modified so if there is a way > > to associate mail activity with a modification of some user attribute > > then you can check the time stamp of this modification rather than > > create a separate attribute. With a new attribute the question comes: > > who, when and how updates it and whether the software you have is > > capable of doing it? May be software already updates something on > > every > > activity for the account and if this is the case then operation > > attributes would help. > > There is no mail-specific activity attribute. I think about the closest > you could get is last successful Kerberos authentication > (krblastsuccessfulauth), but again this isn't specific to mail activity > (unless that is all the users can do). > > Note too that this attribute is by default not replicated so if you > have > several IPA masters you'd need to check them all. This attribute not > updated on LDAP binds. > >>> > >>> Rob, > >>> should we open a ticket to update this for plain text binds too ? > >>> > >>> Simo. > >> > >> That's an interesting question. The attribute has krb in it which > >> suggests a kerberos authentication, so I wonder if this would cause > >> other confusion. > > > > Wasn't there an intent not to update data on a successful auth? Only on > > a failure or first time after a failure to clear the counts? > > It certainly seems like an argument I'd make, but I don't recall > specifically. No, we need to update as it is used to unlock auto-locked accounts. What we decided on was to not propagate any of these operations via replication to avoid huge churn across all of the enterprise. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Date of last access attribute
Dmitri Pal wrote: On 09/13/2013 01:46 PM, Rob Crittenden wrote: Simo Sorce wrote: On Fri, 2013-09-13 at 10:58 -0400, Rob Crittenden wrote: Dmitri Pal wrote: On 09/13/2013 05:16 AM, Marina Moreda wrote: Hi all, I need to add in my LDAP an attribute to save the date of last access to mail account, or something similar, to know when an user has stopped using his mail account. I can't find any attribute like this one. Any suggestions on how I can do this? Thanks so much. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I think there are some operational, i.e. "meta" attributes that store information when some attribute was last modified so if there is a way to associate mail activity with a modification of some user attribute then you can check the time stamp of this modification rather than create a separate attribute. With a new attribute the question comes: who, when and how updates it and whether the software you have is capable of doing it? May be software already updates something on every activity for the account and if this is the case then operation attributes would help. There is no mail-specific activity attribute. I think about the closest you could get is last successful Kerberos authentication (krblastsuccessfulauth), but again this isn't specific to mail activity (unless that is all the users can do). Note too that this attribute is by default not replicated so if you have several IPA masters you'd need to check them all. This attribute not updated on LDAP binds. Rob, should we open a ticket to update this for plain text binds too ? Simo. That's an interesting question. The attribute has krb in it which suggests a kerberos authentication, so I wonder if this would cause other confusion. Wasn't there an intent not to update data on a successful auth? Only on a failure or first time after a failure to clear the counts? It certainly seems like an argument I'd make, but I don't recall specifically. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Date of last access attribute
On Fri, 2013-09-13 at 10:58 -0400, Rob Crittenden wrote: > Dmitri Pal wrote: > > On 09/13/2013 05:16 AM, Marina Moreda wrote: > >> Hi all, > >> > >> I need to add in my LDAP an attribute to save the date of last access > >> to mail account, or something similar, to know when an user has > >> stopped using his mail account. I can't find any attribute like this > >> one. Any suggestions on how I can do this? > >> > >> Thanks so much. > >> > >> > >> > >> ___ > >> Freeipa-users mailing list > >> Freeipa-users@redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > > I think there are some operational, i.e. "meta" attributes that store > > information when some attribute was last modified so if there is a way > > to associate mail activity with a modification of some user attribute > > then you can check the time stamp of this modification rather than > > create a separate attribute. With a new attribute the question comes: > > who, when and how updates it and whether the software you have is > > capable of doing it? May be software already updates something on every > > activity for the account and if this is the case then operation > > attributes would help. > > There is no mail-specific activity attribute. I think about the closest > you could get is last successful Kerberos authentication > (krblastsuccessfulauth), but again this isn't specific to mail activity > (unless that is all the users can do). > > Note too that this attribute is by default not replicated so if you have > several IPA masters you'd need to check them all. This attribute not > updated on LDAP binds. Rob, should we open a ticket to update this for plain text binds too ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Date of last access attribute
On 09/13/2013 01:46 PM, Rob Crittenden wrote: > Simo Sorce wrote: >> On Fri, 2013-09-13 at 10:58 -0400, Rob Crittenden wrote: >>> Dmitri Pal wrote: On 09/13/2013 05:16 AM, Marina Moreda wrote: > Hi all, > > I need to add in my LDAP an attribute to save the date of last access > to mail account, or something similar, to know when an user has > stopped using his mail account. I can't find any attribute like this > one. Any suggestions on how I can do this? > > Thanks so much. > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users I think there are some operational, i.e. "meta" attributes that store information when some attribute was last modified so if there is a way to associate mail activity with a modification of some user attribute then you can check the time stamp of this modification rather than create a separate attribute. With a new attribute the question comes: who, when and how updates it and whether the software you have is capable of doing it? May be software already updates something on every activity for the account and if this is the case then operation attributes would help. >>> >>> There is no mail-specific activity attribute. I think about the closest >>> you could get is last successful Kerberos authentication >>> (krblastsuccessfulauth), but again this isn't specific to mail activity >>> (unless that is all the users can do). >>> >>> Note too that this attribute is by default not replicated so if you >>> have >>> several IPA masters you'd need to check them all. This attribute not >>> updated on LDAP binds. >> >> Rob, >> should we open a ticket to update this for plain text binds too ? >> >> Simo. > > That's an interesting question. The attribute has krb in it which > suggests a kerberos authentication, so I wonder if this would cause > other confusion. Wasn't there an intent not to update data on a successful auth? Only on a failure or first time after a failure to clear the counts? > > > rob > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Date of last access attribute
Simo Sorce wrote: On Fri, 2013-09-13 at 10:58 -0400, Rob Crittenden wrote: Dmitri Pal wrote: On 09/13/2013 05:16 AM, Marina Moreda wrote: Hi all, I need to add in my LDAP an attribute to save the date of last access to mail account, or something similar, to know when an user has stopped using his mail account. I can't find any attribute like this one. Any suggestions on how I can do this? Thanks so much. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I think there are some operational, i.e. "meta" attributes that store information when some attribute was last modified so if there is a way to associate mail activity with a modification of some user attribute then you can check the time stamp of this modification rather than create a separate attribute. With a new attribute the question comes: who, when and how updates it and whether the software you have is capable of doing it? May be software already updates something on every activity for the account and if this is the case then operation attributes would help. There is no mail-specific activity attribute. I think about the closest you could get is last successful Kerberos authentication (krblastsuccessfulauth), but again this isn't specific to mail activity (unless that is all the users can do). Note too that this attribute is by default not replicated so if you have several IPA masters you'd need to check them all. This attribute not updated on LDAP binds. Rob, should we open a ticket to update this for plain text binds too ? Simo. That's an interesting question. The attribute has krb in it which suggests a kerberos authentication, so I wonder if this would cause other confusion. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Date of last access attribute
On Fri, Sep 13, 2013 at 07:47:46AM -0600, Rich Megginson wrote: > On 09/13/2013 03:16 AM, Marina Moreda wrote: > >Hi all, > > > >I need to add in my LDAP an attribute to save the date of last > >access to mail account, or something similar, to know when an user > >has stopped using his mail account. I can't find any attribute > >like this one. Any suggestions on how I can do this? > > 389 has a feature which keeps track of lastLoginTime - that is - the > last time someone did a BIND to the LDAP server. I don't know if > IPA has a similar feature for Kerberos authentication. > > > http://www.port389.org/wiki/Account_Policy_Design In IPA, I think the closest match is krbLastSuccessfulAuth. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Date of last access attribute
Dmitri Pal wrote: On 09/13/2013 05:16 AM, Marina Moreda wrote: Hi all, I need to add in my LDAP an attribute to save the date of last access to mail account, or something similar, to know when an user has stopped using his mail account. I can't find any attribute like this one. Any suggestions on how I can do this? Thanks so much. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I think there are some operational, i.e. "meta" attributes that store information when some attribute was last modified so if there is a way to associate mail activity with a modification of some user attribute then you can check the time stamp of this modification rather than create a separate attribute. With a new attribute the question comes: who, when and how updates it and whether the software you have is capable of doing it? May be software already updates something on every activity for the account and if this is the case then operation attributes would help. There is no mail-specific activity attribute. I think about the closest you could get is last successful Kerberos authentication (krblastsuccessfulauth), but again this isn't specific to mail activity (unless that is all the users can do). Note too that this attribute is by default not replicated so if you have several IPA masters you'd need to check them all. This attribute not updated on LDAP binds. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Date of last access attribute
On 09/13/2013 03:16 AM, Marina Moreda wrote: Hi all, I need to add in my LDAP an attribute to save the date of last access to mail account, or something similar, to know when an user has stopped using his mail account. I can't find any attribute like this one. Any suggestions on how I can do this? 389 has a feature which keeps track of lastLoginTime - that is - the last time someone did a BIND to the LDAP server. I don't know if IPA has a similar feature for Kerberos authentication. http://www.port389.org/wiki/Account_Policy_Design Thanks so much. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Date of last access attribute
On 09/13/2013 05:16 AM, Marina Moreda wrote: > Hi all, > > I need to add in my LDAP an attribute to save the date of last access > to mail account, or something similar, to know when an user has > stopped using his mail account. I can't find any attribute like this > one. Any suggestions on how I can do this? > > Thanks so much. > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users I think there are some operational, i.e. "meta" attributes that store information when some attribute was last modified so if there is a way to associate mail activity with a modification of some user attribute then you can check the time stamp of this modification rather than create a separate attribute. With a new attribute the question comes: who, when and how updates it and whether the software you have is capable of doing it? May be software already updates something on every activity for the account and if this is the case then operation attributes would help. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Date of last access attribute
Hi all, I need to add in my LDAP an attribute to save the date of last access to mail account, or something similar, to know when an user has stopped using his mail account. I can't find any attribute like this one. Any suggestions on how I can do this? Thanks so much. -- Marina Moreda Rodríguez Departamento de Seguridad Informática (n...@cica.es) Centro Informático Científico de Andalucía (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejería de Economía, Innovación, Ciencia y Empleo Junta de Andalucía smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users