Symas OpenLDAP Knowledge Base

Configure LastBind

Why memorize the date of last authentication? Could this overlay be used to verify employees are actually connecting to the system and working? Sure, but real benefit (and practical purpose) is to identify accounts that are obsolete or have not been used to authenticate for several months.

Availability

The lastbind overlay was not included in Symas OpenLDAP Gold or Silver

prior to 2.4.40.1. Please have a newer version installed to take advantage of this overlay:

Update slapd.conf

Add the following to the Modules portion of the global section of

slapd.conf on Producer servers:

    vi /opt/symas/etc/openldap/slapd.conf 
    moduleload        lastbind.la

Add the following to the overlays for the MDB database section of

slapd.conf on Producer servers:

    overlay lastbind
    lastbind-precision 60

NOTE: lastbind-precision is optional. Its value is in seconds, so this example would update the authtimestamp attribute for each user ever minute.

Restart solserver (slapd)

    sudo service solserver restart

For slapd.d Update cn=config

Add the following olcModuleLoad to cn=module,cn=config on Producer servers:

    ldapmodify -x -H ldap://<producer FQDN> -D cn=config -w config 
    dn: cn=module{0},cn=config 
    changetype: modify
    add: olcModuleload
    olcModuleLoad: lastbind.la

Add the following olcOverlay to olcDatabase=mdb,cn=config on Producer servers:

    ldapadd -x -H ldap://<producer FQDN> -D cn=config -w config 
    dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config 
    objectClass: olcLastBindConfig 
    objectClass: olcOverlayConfig 
    objectClass: top
    olcOverlay: lastbind
    olcLastBindPrecision: 60

Database Content

Once the overlay is loaded and OpenLDAP restarted, upon any new

authentication a date will be stored in the attribute authTimestamp.

For example:

    authtimestamp: 20120612073806Z

The authtimestamp is an operational attribute and it is not possible to

change or add it to entries that already exist. Well, nothing is impossible.

OpenLDAP implemented relax control, which allows admins to perform

administrative operations on the data such as changing operational attributes.

Create an LDIF

    vi /tmp/authtimestamp.ldif 
    dn: uid=Coudot,ou=users,dc=example,dc=com
    changetype: modify
    replace: authtimestamp
    authtimestamp: 20120511144318Z

Import the LDIF

    ldapmodify -x -H ldap://<producer FQDN> -D dc=example,dc=com -w 
    secret -e !relax -f authtimestamp.ldif