Hello,

I'm using the Sun ONE Directory Server 5.2. Is there any plugin, which
stores the last logon time of the user?

I would like to check every week automatically which account hasn't been
used for the last 6 months. Does anyone have a similar problem or already a
solution?

Kind regards,
Johannes

In article <c75ere$730$1@newssrv.muc.infineon.com>,
"Gruber Johannes \(IFAT IT OS CS External\)"
"<Gruber.External@infineon.com> wrote:

> Hello,
>
> I'm using the Sun ONE Directory Server 5.2. Is there any plugin, which
> stores the last logon time of the user?
>
> I would like to check every week automatically which account hasn't been
> used for the last 6 months. Does anyone have a similar problem or already a
> solution?
>
> Kind regards,
> Johannes

There's /var/adm/lastlogin or something thereabouts but no PAM that
writes the last login time into LDAP, AFAIK.

--
DeeDee, don't press that button! DeeDee! NO! Dee...

"Michael Vilain <vilain@spamcop.net>" wrote:
> In article <c75ere$730$1@newssrv.muc.infineon.com>,
> "Gruber Johannes \(IFAT IT OS CS External\)"
> "<Gruber.External@infineon.com> wrote:
>
>>Hello,
>>
>>I'm using the Sun ONE Directory Server 5.2. Is there any plugin, which
>>stores the last logon time of the user?
>>
>>I would like to check every week automatically which account hasn't been
>>used for the last 6 months. Does anyone have a similar problem or already a
>>solution?
>>
>>Kind regards,
>>Johannes
>
> There's /var/adm/lastlogin or something thereabouts but no PAM that
> writes the last login time into LDAP, AFAIK.

There are also all kinds of (security) issues with writing information
back into the LDAP server. Take the last login time as an example:

If you write this into the LDAP server with the identity/authority of
the user (like Solaris does for password-changes), the user can change
this information himself. So he can also do this without using Solaris
(with a shellscript and ldapmodify for instance). Great action to take
every month (Cron!), so that the sysadmin will never notice you don't
actually logon that often ....

If you write this into the LDAP-server with the identity/authority of
the proxy-agent user belonging to the Solaris system, you effectively
give root on every Solaris system write access to this user-account
expiration information. The password of the proxy-agent users is stored
with a two-way hash algorithm in /var/ldap/ldap_client_cred. Reversing
this algorithm can not be that hard: The code is already on every LDAP
enabled Solaris sytemen. How else are they (the LDAP libraries) supposed
to bind to the LDAP server with a cleartext password? (Or I have missed
something clever here, which is possible, than please explain).

How I solved this at my work is to expire the users that haven't logged
in for the last 6 months with the Sun ONE Directory Servers password
expiration period. Mind you this is Solaris 8 with patch > 108993-25 and
SunONE Directory Server 5.2. Using this patch means that the Solaris
login-code can't bind to the LDAP server when the password is expired.
So the SunONE Directory Server password-expiration period effectively
becomes the Solaris user's inactivity lockout period (Of course you'll
have to take action, make scripts or whateven to make sure legitimate
and active users change their password well before the SunONE Directory
Server password really expires...). All this has been mentioned to Sun,
but they'll only fix in in future releases....

( This is for a setup designed for over 250 Solaris 8 systems, and over
250 AIX 4.3/5.2 systems.... )

If you think these not-yet-implemented features of the Solaris 8 & patch
> 108993-25 PAM_LDAP en NSS_LDAP libraries are bad, wait until you
test/use AIX 5.2 and especially AIX 4.3. They store the password of the
proxy-agent user in clear-text in a file (only readable to root off
course). And on top of that they use the proxy-agent and this password
to update the AIX user's password in the LDAP server when you type
'passwd'. So giving someone root's password on 1 LDAP connected AIX
machine effectively gives that person access to all the passwords of
users administered in your LDAP server. Allowing people administered in
the LDAP server to be able to change their password with the AIX passwd
command becomes a big no-no this way (IMHO). And then AIX 4.3 uses it on
self(IBM)-invented schema, but I'm drifting to far off-topic here....

HTH, Erik.
--
---------------------------------------------------------------------------
Erik C.J. Laan elaan at dds.nl
Please reply below the message, please cut unrelevant pieces from a reply.
---------------------------------------------------------------------------