HI.
For PCI DSS compliance I need to be able to disable users not logged in for X amount of
days (I think its 90).
I was going to create a script which checks last login time (I have a similar one for
expired passwords), however I cannot find a way of doing so..
I have searched for info and found I should be able to get the info from the
krbLastSuccessfulAuth value using
# ipa user-find --all --raw
But that field is not there.
Also seen I can use
# ipa user-status user
But the value always shows
' Last successful authentication: N/A'
Also seen using ldapsearch
# ldapsearch -x -D "cn=Directory Manager" -W uid=serviceuser
And the value is also missing.
Reading about this is seems the value is cancelled when using replicas - is that right ?
How can I perform what I need to - i.e how to check last login time for a user from the
IPA servers (not on a per ipa client basis) ? Or is there a different way to disable
in-active users ?
Show replies by date