slapo-lastbind - lastbind overlay to slapd
The lastbind overlay to slapd(8) allows recording the timestamp of
the last successful bind to entries in the directory, in the
authTimestamp attribute. The overlay can be configured to update this
timestamp only if it is older than a given value, thus avoiding large numbers
of write operations penalizing performance. One sample use for this overlay
would be to detect unused accounts.
The config directives that are specific to the lastbind overlay must be
prefixed by lastbind-, to avoid potential conflicts with directives
specific to the underlying database or to other stacked overlays.
- overlay lastbind
- This directive adds the lastbind overlay to the current database,
see slapd.conf(5) for details.
This slapd.conf configuration option is defined for the
lastbind overlay. It must appear after the overlay directive:
- lastbind-precision <seconds>
- The value <seconds> is the number of seconds after which to
update the authTimestamp attribute in an entry. If the existing
value of authTimestamp is less than <seconds> old, it
will not be changed. If this configuration option is omitted, the
authTimestamp attribute is updated on each successful bind
operation.
- lastbind_forward_updates
- Specify that updates of the authTimestamp attribute on a consumer should
be forwarded to a provider instead of being written directly into the
consumer's local database. This setting is only useful on a replication
consumer, and also requires the updateref setting and chain
overlay to be appropriately configured.
This example configures the lastbind overlay to store
authTimestamp in all entries in a database, with a 1 week precision.
Add the following to slapd.conf(5):
database <database>
# ...
overlay lastbind
lastbind-precision 604800
slapd must also load lastbind.la, if compiled as a
run-time module;
- ETCDIR/slapd.conf
- default slapd configuration file
slapd.conf(5), slapd(8). The slapo-lastbind(5) overlay
supports dynamic configuration via back-config.
This module was written in 2009 by Jonathan Clarke. It is loosely derived from
the password policy overlay.