Track last sign-in time to detect inactive accounts

6.7. Track last sign-in time to detect inactive accounts#

Inactive user accounts are a security risk because attackers can compromise them without anyone noticing. By recording when each account last signed in, you can identify accounts that haven’t signed in recently and take appropriate action.

Read this page to learn how to:

  • activate the OpenLDAP lastbind overlay module.

  • collect sign-in timestamps from all LDAP servers in the domain.

  • schedule automatic updates to keep the timestamps current.

Caution

Before using this feature, read KB 14404 - knowledge base article about activating the OpenLDAP lastbind overlay module.

6.7.1. Activate the overlay module#

The lastbind overlay module for OpenLDAP records when a user last signed in, storing the result in the authTimestamp attribute. Use these timestamps to identify accounts that haven’t signed in recently.

When you set the UCR variable ldap/overlay/lastbind to yes and restart the OpenLDAP server, the lastbind overlay module activates. To restart the OpenLDAP server, run the command in Listing 6.15. The module writes a timestamp to the account’s authTimestamp attribute each time that account performs an LDAP bind. ldap/overlay/lastbind/precision sets the minimum time in seconds between updates to the authTimestamp attribute. This prevents excessive write operations that impair performance.

Listing 6.15 Restart the OpenLDAP server#
$ systemctl restart slapd

6.7.2. Collect and store the timestamp#

The lastbind overlay module only writes authTimestamp to the local LDAP server. Other LDAP servers don’t replicate this attribute. For that reason, run the /usr/share/univention-ldap/univention_lastbind.py script. The script collects the most recent authTimestamp value from all reachable LDAP servers in the Nubus for UCS domain and stores it in the lastbind extended attribute.

The lastbind extended attribute stores its value in the univentionAuthTimestamp LDAP attribute, which you can query directly in the directory.

6.7.3. Schedule automatic updates#

To keep the lastbind extended attribute up to date, create a cron job using UCR as shown in Listing 6.16.

For more information, see Defining cron jobs in Univention Configuration Registry in Univention Corporate Server - Manual for users and administrators [3].

Listing 6.16 Create cron job to regularly update the lastbind extended attribute#
$ ucr set cron/update_lastbind_attribute/command='\
/usr/share/univention-ldap/univention_lastbind.py --allusers'\
  cron/update_lastbind_attribute/time='00 06 * * *'
# daily at 06:00
On this page