[SAC] LDAP: time of last usage
Sandro Santilli
strk at keybit.net
Mon May 9 10:54:52 PDT 2016
On Mon, May 09, 2016 at 07:35:43PM +0200, Sandro Santilli wrote:
> I was thinking that if we want to remove dormient accounts we would
> need to be able to tell the time of last _usage_ for an account.
>
> Since "usage" probably always starts with credentials verification
> (even if later real usage could be based on service-local
> authenticated sessions) an approximation of that query could be
> done by looking at the LDAP server datastore.
>
> According to [this article](
> http://serverfault.com/questions/390747/how-can-i-determine-the-last-time-an-open-directory-network-account-was-used-on
> ) the LDAP server should store such info in a per-user file, can
> anyone confirm ?
>
> Or, can you think of other ways to determine when an account was last
> used ? The aim is to drop/disable/ping-to-confirm accounts that
> weren't used in an year.
I tried using the logs, using this pattern against the syslog:
'slapd.*BIND dn="<USER>'
Seems to give some info, but the logs don't go back more than 7 days :(
--strk;
More information about the Sac
mailing list