Chapter 7. Tracking the last login time without setting a lockout policy

You can use the Account Policy plug-in to track user login times without setting an expiration time or inactivity period. In this case, the plug-in adds the lastLoginTime attribute to user entries.

7.1. Configuring the Account Policy plug-in to record the last login time

Follow this procedure to record the last login time of users in the lastLoginTime attribute of user entries.

Procedure

  1. Enable the Account Policy plug-in: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy enable

  2. Create the plug-in configuration entry to record login times: 

    # dsconf -D "cn=Directory Manager" ldap://server.example.com plugin account-policy config-entry set "cn=config,cn=Account Policy Plugin,cn=plugins,cn=config" --always-record-login yes --state-attr lastLoginTime

    This command uses the following options:

    • --always-record-login yes: Enables logging of the log in time.
    • --state-attr lastLoginTime: Configures that the Account Policy plug-in stores the last log in time in the lastLoginTime attribute of users.

  3. Restart the instance: 

    # dsctl instance_name restart

Verification

  1. Log in to Directory Server as a user. For example, run a search: 

    # ldapsearch -H ldap://server.example.com -x -D "uid=example,ou=People,dc=example,dc=com" -W -b "dc=example,dc=com"

  2. Display the lastLoginTime attribute of the user you used in the previous step: 

    # ldapsearch -H ldap://server.example.com -x -D "cn=Directory Manager" -W -b "uid=example,ou=people,dc=example,dc=com" lastLoginTime
...
dn: uid=example,ou=People,dc=example,dc=com
lastLoginTime: 20210913091435Z

    If the lastLoginTime attribute exists and Directory Server updated its value, recording of the last login time works.