6.8. Overlay module for recording an account’s last successful LDAP bind#
Before using this feature please read KB 14404 - support article about activating the OpenLDAP lastbind overlay module.
The optional lastbind overlay module for OpenLDAP allows
recording the timestamp of the last successful LDAP bind in the
authTimestamp attribute and can for example be used to detect unused
lastbind overlay module can be activated by setting the Univention Configuration Registry Variable
yes and restarting the OpenLDAP server.
When the module is activated on an UCS server, a timestamp is written to the
authTimestamp attribute when that account logs into the LDAP
server. The Univention Configuration Registry Variable
ldap/overlay/lastbind/precision can be used to
configure the time in seconds that has to pass before the
attribute is updated. This prevents a large number of write operations that can
authTimestamp attribute can only be queried on the LDAP server where the
lastbind overlay module is activated. It is not replicated to other LDAP
servers. For that reason the
/usr/share/univention-ldap/univention_lastbind.py script can be executed
to collect the youngest
authTimestamp value from all reachable LDAP servers
in the UCS domain and save it into the
lastbind extended UDM attribute of a
user. The script can be invoked to update the
lastbind extended attribute of
one or all users. The
lastbind extended attribute maps to the
univentionAuthTimestamp LDAP attribute.
One way to keep the
lastbind extended attribute
up-to-date is by creating a cron job via UCR:
$ ucr set cron/update_lastbind_attribute/command='\ /usr/share/univention-ldap/univention_lastbind.py --allusers'\ cron/update_lastbind_attribute/time='00 06 * * *' # daily at 06:00 a.m.
More information on how to set cron jobs via UCR can be found in Defining cron jobs in Univention Configuration Registry.