How to disable inactive OpenLDAP accounts

user1192748

3/13/24, 1:32 PM

is there a means to disable such OpenLDAP accounts that show no interaction for a given grace period. In particular, of a user has not logged in to her account since x days (no matter the means of authentication), can the account be disabled directly?

So far, I have only read about configurations that are a bit "hackish", enforcing the user the change the password during said grace period and then setting pwdGraceAuthnLimit to 0 (see https://www.openldap.org/lists/openldap-software/200803/msg00142.html).

However, this is not exactly what I would like to achieve, i.e. the hack to enforce a password reset is not what I want.

Thanks!

230

1 + 0

openldap

Score:1

Server

HBruijn

3/13/24, 4:14 PM

By default OpenLDAP does not record a last logon, nor AFAIK any or similar data that you can use/abuse to find inactive accounts.

But you can extend OpenLDAP with the lastbind overlay and then it will provide a authTimestamp attribute:

The lastbind overlay to slapd(8) allows recording the timestamp of the last successful bind to entries in the directory, in the authTimestamp attribute. The overlay can be configured to update this timestamp only if it is older than a given value, thus avoiding large numbers of write operations penalizing performance. One sample use for this overlay would be to detect unused accounts.

Install the overlay, edit slapd.conf and restart OpenLDAP

       # ETCDIR/slapd.conf

       # ...

       overlay lastbind
       lastbind-precision 68400

IIRC there are some caveats as for example the authTimestamp attribute appears to be specific to a particular OpenLDAP server and is excluded from replication. Any reports will then need to query all your OpenLDAP servers to find the most recent last logon date.

Once enabled you will need to create a script that finds accounts whose authTimestamp exceeds your idea of too long ago since last successful logon and lock them.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to disable inactive OpenLDAP accounts

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.