6.8. Overlay module for recording an account’s last successful LDAP bind#
Caution
Before using this feature please read KB 14404 - support article about activating the OpenLDAP lastbind overlay module.
The optional lastbind overlay module for OpenLDAP allows
recording the timestamp of the last successful LDAP bind in the
authTimestamp attribute and can for example be used to detect unused
accounts.
The lastbind overlay module can be activated by setting the Univention Configuration Registry Variable
ldap/overlay/lastbind to yes and restarting the OpenLDAP server.
When the module is activated on an UCS server, a timestamp is written to the
account’s authTimestamp attribute when that account logs into the LDAP
server. The Univention Configuration Registry Variable ldap/overlay/lastbind/precision can be used to
configure the time in seconds that has to pass before the authTimestamp
attribute is updated. This prevents a large number of write operations that can
impair performance.
The authTimestamp attribute can only be queried on the LDAP server where the
lastbind overlay module is activated. It is not replicated to other LDAP
servers. For that reason the
/usr/share/univention-ldap/univention_lastbind.py script can be executed
to collect the youngest authTimestamp value from all reachable LDAP servers
in the UCS domain and save it into the lastbind extended UDM attribute of a
user. The script can be invoked to update the lastbind extended attribute of
one or all users. The lastbind extended attribute maps to the
univentionAuthTimestamp LDAP attribute.
One way to keep the lastbind extended attribute
up-to-date is by creating a cron job via UCR:
$ ucr set cron/update_lastbind_attribute/command='\
/usr/share/univention-ldap/univention_lastbind.py --allusers'\
cron/update_lastbind_attribute/time='00 06 * * *' # daily at 06:00 a.m.
More information on how to set cron jobs via UCR can be found in Defining cron jobs in Univention Configuration Registry.