Skip to content
Permalink
Browse files

Merge branch 'drybjed-slapd-lastbind-overlay'

  • Loading branch information...
drybjed committed Oct 1, 2019
2 parents 6f956f2 + 3bb4f5e commit b7fb5fbfe71749e7f3c281b2ab166fab1b770d30
@@ -84,6 +84,11 @@ LDAP
:ref:`debops.saslauthd` Ansible role. Both humans and machines can
authenticate to the OpenLDAP directory using their respective LDAP objects.

- The :ref:`lastbind overlay <slapd__ref_lastbind_overlay>` will be enabled by
default. This overlay records the timestamp of the last successful bind
operation of a given LDAP object, which can be used to, for example, check
the date of the last successful login of a given user account.

:ref:`debops.unbound` role
''''''''''''''''''''''''''

@@ -387,6 +387,7 @@ slapd__default_tasks:
- '{6}auditlog'
- '{7}constraint'
- '{8}back_monitor'
- '{9}lastbind'
ordered: True

- name: 'Enable Sync Provider overlay in the cn=config database'
@@ -437,6 +438,12 @@ slapd__default_tasks:
attributes:
olcOverlay: '{6}constraint'

- name: 'Enable LastBind overlay in the main database'
dn: 'olcOverlay={7}lastbind,olcDatabase={1}mdb,cn=config'
objectClass: [ 'olcOverlayConfig', 'olcLastBindConfig' ]
attributes:
olcOverlay: '{7}lastbind'

- name: 'Configure Password Policy overlay in the main database'
dn: 'olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config'
attributes:
@@ -495,6 +502,12 @@ slapd__default_tasks:
- 'macAddress regex ^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$'
state: 'exact'

- name: 'Configure LastBind overlay in the main database'
dn: 'olcOverlay={7}lastbind,olcDatabase={1}mdb,cn=config'
attributes:
olcLastBindPrecision: '{{ (60 * 60 * 24) }}'
state: 'exact'

- name: 'Configure the OpenLDAP server log level'
dn: 'cn=config'
attributes:
@@ -36,6 +36,8 @@ Directory structure

- ``{8}back_monitor``

- ``{9}lastbind``

- :ref:`cn=schema <slapd__ref_ldap_schemas>`

- :ref:`core.schema <slapd__ref_initial_schemas>`
@@ -78,6 +80,8 @@ Directory structure

- :ref:`olcOverlay={6}constraint <slapd__ref_constraint_overlay>`

- :ref:`olcOverlay={7}lastbind <slapd__ref_lastbind_overlay>`

- :envvar:`olcAccess <slapd__acl_tasks>` (:ref:`documentation <slapd__ref_acl>`)

- ``olcDatabase={2}monitor``
@@ -133,3 +133,25 @@ attributes, for example number of possible values, size or format.
.. __: https://www.openldap.org/doc/admin24/overlays.html#Constraints

Manual page: :man:`slapo-constraint(5)`


.. _slapd__ref_lastbind_overlay:

LastBind overlay
----------------

The ``lastbind`` overlay and the corresponding OpenLDAP module can be used to
maintain information about last login time of a LDAP account, similar to the
`lastLogon`__ functionality from Active Directory. The primary purpose
of the ``lastbind`` overlay is detection of inactive user accounts; it
shouldn't be relied on for real-time login tracking.

.. __: https://ldapwiki.com/wiki/LastLogon

The time of the last successful authenticated bind operation of a given LDAP
object is stored in the ``authTimestamp`` operational attribute (not
replicated, not visible in normal queries, has to be specifically requested).
By default the timestamp is updated once a day to avoid performance issues in
larger environments.

Manual page: :man:`slapo-lastbind(5)`

0 comments on commit b7fb5fb

Please sign in to comment.
You can’t perform that action at this time.