HI. For PCI DSS compliance I need to be able to disable users not logged in for X amount of days (I think its 90). I was going to create a script which checks last login time (I have a similar one for expired passwords), however I cannot find a way of doing so.. I have searched for info and found I should be able to get the info from the krbLastSuccessfulAuth value using # ipa user-find --all --raw But that field is not there. Also seen I can use # ipa user-status user But the value always shows ' Last successful authentication: N/A' Also seen using ldapsearch # ldapsearch -x -D "cn=Directory Manager" -W uid=serviceuser And the value is also missing. Reading about this is seems the value is cancelled when using replicas - is that right ? How can I perform what I need to - i.e how to check last login time for a user from the IPA servers (not on a per ipa client basis) ? Or is there a different way to disable in-active users ?