On 03/03/2015 04:34 PM, Dmitri Pal wrote: > On 03/03/2015 07:22 AM, Martin Kosek wrote: >> On 03/03/2015 05:38 AM, Jason Prouty wrote: >>> >>> Is there a method to auto disable users who have logged in 90 days. >>> I have a security requirement to auto disable users who have not logged in >>> after 90 days. >>> >> There is no such facility implemented in vanilla FreeIPA. I think there was >> another user request, but I could not find any Bugzilla or Trac ticket. >> >> I see 3 options how to do what you propose: >> >> 1) Implement a cron script that will LDAP search for such users and disable >> them when the account is inactive for too long (based on >> krblastsuccessfulauth). > > Yes this is probably the most recommended approach. > You do an ldap search on all the accounts that have krblastsuccessfulauth more > than 90 days ago and then disable them one by one. > Should be a very simple script to write.
Yup, I just did a very simple test, to prove the point: 1) I have 2 users, with different successful log auth: # ipa user-find --all --raw | grep -iE "(dn:|krbLastSuccessfulAuth)" dn: uid=admin,cn=users,cn=accounts,dc=f21 krbLastSuccessfulAuth: 20150303155003Z dn: uid=fbar,cn=users,cn=accounts,dc=f21 krbLastSuccessfulAuth: 20150223114040Z 2) Now I search for acrtive users that did not log after March 1st: # ldapsearch -Y GSSAPI -b "cn=users,cn=accounts,dc=f21" "(&(!(nsaccountlock=TRUE))(krbLastSuccessfulAuth<=20150301000000Z))" dn krbLastSuccessfulAuth nsaccountlock SASL/GSSAPI authentication started SASL username: admin@F21 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=users,cn=accounts,dc=f21> with scope subtree # filter: (&(!(nsaccountlock=TRUE))(krbLastSuccessfulAuth<=20150301000000Z)) # requesting: dn krbLastSuccessfulAuth nsaccountlock # # fbar, users, accounts, f21 dn: uid=fbar,cn=users,cn=accounts,dc=f21 krbLastSuccessfulAuth: 20150223114040Z # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 3) I disable such user: # ipa user-disable fbar ---------------------------- Disabled user account "fbar" ---------------------------- 4) Next search: # ldapsearch -Y GSSAPI -b "cn=users,cn=accounts,dc=f21" "(&(!(nsaccountlock=TRUE))(krbLastSuccessfulAuth<=20150301000000Z))" dn krbLastSuccessfulAuth nsaccountlock SASL/GSSAPI authentication started SASL username: admin@F21 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=users,cn=accounts,dc=f21> with scope subtree # filter: (&(!(nsaccountlock=TRUE))(krbLastSuccessfulAuth<=20150301000000Z)) # requesting: dn krbLastSuccessfulAuth nsaccountlock # # search result search: 4 result: 0 Success # numResponses: 1 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
