Re: [Freeipa-users] Tracking Login Times

2016-03-23 Thread Martin Kosek 
On 03/21/2016 06:56 PM, Rob Crittenden wrote:
> Bob wrote:
>> If each IPA server tracks time of last auth independently, then one ipa
>> server might disable an inactive account. But that account might be
>> active on another servers. In a fail over case where the server that
>> that account normally uses is down, the user would not have a usable
>> account.
>>
>> Is it possible to use the account policy plugin?  Or is there a way to
>> track time of last auth that is replicated.  I need to have accounts
>> that have been inactive for 90 days automatically disabled.
> 
> You can't use the account policy plugin but it isn't aware of Kerberos so it
> would miss potentially a lot of authentications.
> 
> You could modify replication agreements to not ignore this attribute but you
> potentially create a replication "storm", particularly early morning when
> everyone logs in at the same time.
> 
> In any case IPA password policy doesn't currently handle inactivity. There is 
> a
> ticket open: https://fedorahosted.org/freeipa/ticket/4975 (with a potential
> short-term workaround).

JFTR, this is the ticket with failed login replication RFE:
https://fedorahosted.org/freeipa/ticket/3700

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Tracking Login Times

2016-03-21 Thread Rob Crittenden 

Bob wrote:

We currently have 18 master ODSEE servers that we use to provide authentication 
services to both Redhat, SuSE, and Solaris systems. We are looking to add IPA 
servers to
environment.

We have a requirement to track time of last authentication.  With ODSEE, time 
of last authentication tracking is enabled with this:

*dsconf set-server-prop pwd-keep-last-auth-time-enabled:on*


Looking at the Redhat DS 9 documentation, I see an account policy plug-in:


cn=Account Policy Plugin,cn=plugins,cn=config

Looking thefreeipa.org   pages on the server plugins, I do 
not see the account policy plugin listed.
http://www.freeipa.org/page/Directory_Server

Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION: 2.156" installed 
on Redhat 7, I do see the account policy plugin in the config tree.


Is the use of this account policy plugin supported with IPA? Should it work?


IPA has its own password policy. You can get last successful 
authentication via krbLastSuccessfulAuth


Don't let the attribute name mislead you, it is updated on every 
authentication.


Also note that this is per-IPA master. It is not replicated.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Tracking Login Times

2016-03-21 Thread Bob 
We currently have 18 master ODSEE servers that we use to provide
authentication services to both Redhat, SuSE, and Solaris systems. We
are looking to add IPA servers to environment.

We have a requirement to track time of last authentication.  With
ODSEE, time of last authentication tracking is enabled with this:


*dsconf set-server-prop pwd-keep-last-auth-time-enabled:on*

Looking at the Redhat DS 9 documentation, I see an account policy plug-in:


cn=Account Policy Plugin,cn=plugins,cn=config

Looking the freeipa.org pages on the server plugins, I do not see the
account policy plugin listed.
http://www.freeipa.org/page/Directory_Server

Looking in the directory DT of a "VERSION: 4.2.0, API_VERSION: 2.156"
installed on Redhat 7, I do see the account policy plugin in the
config tree.


Is the use of this account policy plugin supported with IPA? Should it work?

Thanks,

Bob Harvey
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project