Chapter 7. Tracking the last login time without setting a lockout policy
You can use the Account Policy plug-in to track user login times without setting an expiration time or inactivity period. In this case, the plug-in adds the lastLoginTime
attribute to user entries.
7.1. Configuring the Account Policy plug-in to record the last login time
Follow this procedure to record the last login time of users in the lastLoginTime
attribute of user entries.
Procedure
Enable the Account Policy plug-in:
#
dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy enable
Create the plug-in configuration entry to record login times:
#
dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy config-entry set "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" --always-record-login yes --state-attr lastLoginTime
This command uses the following options:
-
--always-record-login yes
: Enables logging of the log in time. -
--state-attr lastLoginTime
: Configures that the Account Policy plug-in stores the last log in time in thelastLoginTime
attribute of users.
-
Restart the instance:
#
dsctl instance_name restart
Verification
Log in to Directory Server as a user. For example, run a search:
#
ldapsearch -H ldap://server.example.com -x -D "uid=example,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com"
Display the
lastLoginTime
attribute of the user you used in the previous step:#
ldapsearch -H ldap://server.example.com -x -D "cn=Directory Manager" -W -b "uid=example,ou=people,dc=example,dc=com" lastLoginTime
... dn: uid=example,ou=People,dc=example,dc=com lastLoginTime: 20210913091435ZIf the
lastLoginTime
attribute exists and Directory Server updated its value, recording of the last login time works.