slapo-lastbind - lastbind overlay to slapd


The lastbind overlay to slapd(8) allows recording the timestamp of the last successful bind to entries in the directory, in the authTimestamp attribute. The overlay can be configured to update this timestamp only if it is older than a given value, thus avoiding large numbers of write operations penalizing performance. One sample use for this overlay would be to detect unused accounts.

Now that OpenLDAP has native support for most of this functionality, storing the value in pwdLastSuccess to better interact with the Behera Password Policy draft 10. Unless you require lastbind_forward_updates, you should consider using that instead.

The config directives that are specific to the lastbind overlay must be prefixed by lastbind-, to avoid potential conflicts with directives specific to the underlying database or to other stacked overlays.

This directive adds the lastbind overlay to the current database, see slapd.conf(5) for details.

This slapd.conf configuration option is defined for the lastbind overlay. It must appear after the overlay directive:

The value <seconds> is the number of seconds after which to update the authTimestamp attribute in an entry. If the existing value of authTimestamp is less than <seconds> old, it will not be changed. If this configuration option is omitted, the authTimestamp attribute is updated on each successful bind operation.
Specify that updates of the authTimestamp attribute on a consumer should be forwarded to a provider instead of being written directly into the consumer's local database. This setting is only useful on a replication consumer, and also requires the updateref setting and chain overlay to be appropriately configured.

This example configures the lastbind overlay to store authTimestamp in all entries in a database, with a 1 week precision. Add the following to slapd.conf(5):

database <database>
# ...
overlay lastbind
lastbind-precision 604800

slapd must also load, if compiled as a run-time module;

default slapd configuration file

slapd.conf(5), slapd(8).

IETF LDAP password policy proposal by P. Behera, L. Poitou and J. Sermersheim: documented in IETF document "draft-behera-ldap-password-policy-10.txt".

The slapo-lastbind(5) overlay supports dynamic configuration via back-config.

This module was written in 2009 by Jonathan Clarke. It is loosely derived from the password policy overlay.