Discussion:
Record last bind info?
Erich Weiler
2010-04-06 23:02:21 UTC
Permalink
Hi All,

My task at hand is to somehow record when a user last logged on to any
of our systems, which all authenticate against OpenLDAP.

Now, I've browsed the mailing lists and some folks have suggested using
the accesslog backend, and only have it log 'binds', and thus I can
later look back at the log DB and see when folks logged in last.

While this seems to work, what concerns me is that it makes a log entry
every time someone binds, so the log gets large fairly quickly, as well
as load the server a bit because of all the write activity to the log DB
(we have a large network with lots and lots of binds all the time). I
saw that the accesslog backend has a 'logpurge' directive, but indeed I
would like to only purge log entries older than a year, so the log DB
will still get quite large.

I was wondering if anyone knew a way to perhaps have it "log an entry,
but only log it if there is already not a pre-existing entry of not more
than X days old" or something like that for the uid in question...? Or
maybe even something such that it logs a new entry and automatically
purges all other older entries that match the same uid?

Or even a better way?

Thanks for any thoughts/insight!

-erich
Jonathan Clarke
2010-04-07 15:05:56 UTC
Permalink
Post by Erich Weiler
Hi All,
My task at hand is to somehow record when a user last logged on to any
of our systems, which all authenticate against OpenLDAP.
Now, I've browsed the mailing lists and some folks have suggested using
the accesslog backend, and only have it log 'binds', and thus I can
later look back at the log DB and see when folks logged in last.
While this seems to work, what concerns me is that it makes a log entry
every time someone binds, so the log gets large fairly quickly, as well
as load the server a bit because of all the write activity to the log DB
(we have a large network with lots and lots of binds all the time). I
saw that the accesslog backend has a 'logpurge' directive, but indeed I
would like to only purge log entries older than a year, so the log DB
will still get quite large.
I was wondering if anyone knew a way to perhaps have it "log an entry,
but only log it if there is already not a pre-existing entry of not more
than X days old" or something like that for the uid in question...? Or
maybe even something such that it logs a new entry and automatically
purges all other older entries that match the same uid?
Or even a better way?
Thanks for any thoughts/insight!
Hi,

I had the exact same requirement, and wrote an overlay to do this. It
stores the time of last successful bind in an attribute in the user's entry.

It can be configured to only update this attribute if the last value is
older than a given time, to avoid excessive writes if all you need to
know is "has this user logged on this month?".

You can find it here:
http://www.openldap.org/its/?findid=6238

Hope this helps,
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - ***@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------
Erich Weiler
2010-04-07 15:47:30 UTC
Permalink
Post by Jonathan Clarke
I had the exact same requirement, and wrote an overlay to do this. It
stores the time of last successful bind in an attribute in the user's entry.
Wow, that looks like it's _exactly_ what I need. Lemme roll it out in a
test environment and I'll ping you back on how much I like it. ;)
Loading...