You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 975217
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
::Request For Enhancement::
If the account policy plugin is activated and set to lockout users after x days
of inactivity, preexisting users will not be able to login if the
"altstateattrname" is set to "createTimestamp" as described in the DS9 admin
guide (section 14.5).
A request has been made by a customer to automatically apply a "lastLoginTime" to existing users in the directory upon plugin activation.
Here is the scenario:
1) Directory exists with many users whom do *not* have a "lastLoginTime"
attribute
2) Some accounts never actually login using their ldap credentials
3) Company policy dictates that inactive accounts get locked out after 90 days
4) Account policy is then activated to lockout accounts after 90 days
Results of activation:
1) If "createTimestamp" is used as an alternative attribute for inactivity
lockout, all existing users will be locked out immediately.
2) If "createTimestamp" is _not_ used as an alternative attribute for
inactivity lockouit, all existing users will be able to login once (for free)
after which "lastLoginTime" will be captured and set
2a) This means that the users that do not ever log in, will be violating the
mandated password policy, as their "free" login will never be used.
Workarounds:
1) Run a script to set the "lastLoginTime" on all users prior to activating the
lockout policy
2) Activate the policy without letting createTimestamp be the fallback
attribute, and add the fallback attribute in the inactivation policy after the
first 90 days have been reached (or whatever the lockout policy is).
The text was updated successfully, but these errors were encountered:
Instead of touching all entries to set a lastlogin time, could we store the activation time in the passwordpolicy entry and use this as fallbeack if lastlogintime or an alterante attr is not set ?
Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/47439
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 975217
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
The text was updated successfully, but these errors were encountered: