Sunday, August 19, 2018

[389-users] Re: Password Policies and lastLoginTime

On Thu, 2018-08-16 at 11:11 -0400, Harvey, Robert wrote:
>
> Is it possible to turn on recording of users Last Login times in
> selected OUs without turning on alwaysRecordLogin in
> cn=config,cn=Account Policy Plugin,cn=plugins,cn=config?

I think there is a way to provide a password policy to only a single
OU, but I can not remember if this includes the alwaysRecordLogin or
not. I suspect that it does not because acct policy is a plugin and
pwpolicy is core server ....


>
>
> I'm using ds389 to service SSSD Centos and RHEL (6 and 7) clients and
> some some Solaris 10 and 11 clients.
>
> Currently with about client 80 systems. With 10 masters and with
> alwaysrecordlogin set to ON, with 2 replication agreements outbound
> from each of the ds389 servers, the replication could barely keep up
> and sometime has to wait for 10 minutes of more to be able access a
> replication destination.
>
> There was far too many updates for the replication to handle just
> from these few client systems last login times. Each ds389 server is
> bare metal install on X4-2 server running Centos 7.
>
> I need to track the user's (humans) last log in times. I do not need
> (and I don't see that it is possible) to track the last login times
> of all the machine accounts. I had turn off the alwaysRecordLogin.

It's tricky to know if this is a bug. LDAP is not a "write focused"
system, and having a write after every bind, is going to really cause a
lot of replication as you indicate. And as effecient as our replication
is, reality is large writes still take time.

It could be possible to change the alwaysRecordLogin to be async and to
do batch writes outside of the normal bind path, which would probbaly
at least speed up the bind/search paths, but I'm not sure it would help
in the replication. I'd need to think about it.

At the least, Ithink we need better solutions around recording logins
for audits, because this isn't the first time weve seen this issue come
up. This is especially true for read-only replicas and how they feed
back login events (or failures)

Would it be possible for you to open an issue for this so we can look
into it?

>
> Thanks,
> Bob Harvey
>
>
>
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to
> 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/message/YGEHYZTQ4KAEHEMNLKEM224CS7KGUU2W/
--
Sincerely,

William
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org/message/C3KSKQWI52ZVINO3JYOEGKSF7K5FXVB5/

No comments:

Post a Comment