OpenDJ: Which accounts are active?

OpenDJ community logo Perhaps you want to know which of your users are logging in regularly, and which have not logged in for some time. Ludo explained how to do time-based comparison searches in OpenDJ.

Yet, OpenDJ directory server does not record last login time by default. You must set it up by adjusting password policy if you want to track which users are actively logging in.

Assuming you have installed OpenDJ and generated a few test users, then you have users subject to the default password policy.

$ ldapsearch
 -p 1389
 -b dc=example,dc=com
 uid=user.0
 pwdPolicySubentry
dn: uid=user.0,ou=People,dc=example,dc=com
pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config

To have OpenDJ record when a user logs in, you set last-login-time properties in the password policy. One of the properties to set is the attribute to use, the other is the format of the time stamps to save.

OpenDJ comes with an attribute named ds-pwp-last-login-time defined in the schema. The ds-pwp-last-login-time attribute has string syntax, and so does not benefit from the time-based matching Ludo described in his blog. Instead, you can define an attribute with generalized time syntax to store the last login time.

$ cat /path/to/OpenDJ/config/schema/98-lastLogin.ldif
#
# Schema definition for a generalizedTimeMatch lastLoginTime attribute
#
dn: cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
attributeTypes: ( lastLoginTime-oid
  NAME 'lastLoginTime'
  DESC 'Last time the user logged in'
  EQUALITY generalizedTimeMatch
  ORDERING generalizedTimeOrderingMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
  SINGLE-VALUE
  NO-USER-MODIFICATION
  USAGE directoryOperation
  X-ORIGIN 'https://marginnotes2.wordpress.com' )

Next, adjust the password policy to put a generalized time stamp on lastLoginTime.

$ dsconfig
 -p 4444
 -h `hostname`
 -D "cn=Directory Manager"
 -w password
 set-password-policy-prop
 --policy-name "Default Password Policy"
 --set last-login-time-attribute:lastLoginTime
 --set last-login-time-format:"yyyyMMddHHmmss'Z'"
 -X -n

Check that OpenDJ tracks last login time, by first performing an LDAP search with a user name and password (effectively logging in), and then reading the value of lastLoginTime on the user’s entry.

$ ldapsearch
 -p 1389
 -D uid=user.0,ou=people,dc=example,dc=com
 -w password
 -b dc=example,dc=com
 uid=user.0
 cn
dn: uid=user.0,ou=People,dc=example,dc=com
cn: Aaccf Amar

$ ldapsearch
 -p 1389
 -b dc=example,dc=com
 uid=user.0
 lastLoginTime
dn: uid=user.0,ou=People,dc=example,dc=com
lastLoginTime: 20110915210256Z

Now use Ludo’s advice to see who has logged over the last 3 months.

$ ldapsearch
 -p 1389
 -b dc=example,dc=com
 "(lastLoginTime:1.3.6.1.4.1.26027.1.4.5:=-13w)"
 uid cn
dn: uid=user.0,ou=People,dc=example,dc=com
uid: user.0
cn: Aaccf Amar

A nice way of checking which users are actively logging in by authenticating to OpenDJ directory server.

Advertisements

7 thoughts on “OpenDJ: Which accounts are active?

  1. I’ve tried to use the new attribute “lastLoginTime” instead of “ds-pwp-last-login-time” but for an unknown reason it is not populated. Everything works ok when I use “ds-pwp-last-login-time” (but of course I cannot do time searches). What am I missing? Thank you.

  2. Thanks for your question, Stefano.

    I’ve just double-checked by following the steps in the latest published docs, https://backstage.forgerock.com/docs/opendj/3.5/server-dev-guide#extensible-match-search

    The problem does not show up on my laptop. Perhaps there’s a difference in our configurations.

    When I follow those steps, finally binding as bjensen and kvaughan, I do see the lastLoginTime attribute on their entries:

    $ ldapsearch –port 1389 –bindDN “cn=Directory Manager” –bindPassword password –baseDN dc=example,dc=com “(lastLoginTime=*)” lastLoginTime
    dn: uid=bjensen,ou=People,dc=example,dc=com
    lastLoginTime: 2017013116Z

    dn: uid=kvaughan,ou=People,dc=example,dc=com
    lastLoginTime: 2017013116Z

    Do I understand correctly that when a user binds successfully, the lastLoginTime attribute is not written?

    Is it possible that the last-login-time-attribute is not set to lastLoginTime in the applicable password policy?

    In the example that I am following, the applicable password policy is the default password policy. So I can check that on my system with the following command:

    dsconfig get-password-policy-prop –hostname localhost –port 4444 –bindDN “cn=Directory Manager” –bindPassword password –policy-name “Default Password Policy” –property last-login-time-attribute –trustAll –no-prompt
    Property : Value(s)
    ————————–:————–
    last-login-time-attribute : lastLoginTime

    The command is similar on your server.

    If you’re not sure which password policy applies for a test user, you can check as described in https://backstage.forgerock.com/docs/opendj/3.5/admin-guide#pwp-application

    For example:

    $ ldapsearch \
    > –port 1389 \
    > –bindDN “cn=Directory Manager” \
    > –bindPassword password \
    > –baseDN dc=example,dc=com uid=bjensen \
    > pwdPolicySubentry
    dn: uid=bjensen,ou=People,dc=example,dc=com
    pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config

    1. Shame on me 😦
      I was searching at the attribute via OpenDJ Control panel and if you do not set “Attribute View” or “LDIF View” in the View Menu of the “Manage Entries” window you do not get “Non-editable attributes” section displayed that shows correctly the “lastLoginTime” attribute along with its value.

      Sorry for bothering you and thank you for your verbose and instant reply!

    2. Just an additional note:

      The latest note of Ludo “Finally, remember that the OpenDJ directory server doesn’t allow unindexed searches by default. So you might also want to create an index for the “relative time” matching rules.” seems that needs not to be applied on OpenDJ 3.0.
      The relative time search works without specific indexes on lastLoginTime attribute.

      ldapsearch -p 1389 -h localhost -D “cn=Directory Manager” -w ********** -b dc=example,dc=com “(lastLoginTime:1.3.6.1.4.1.26027.1.4.5:=-1h)” uid cn lastLoginTime
      # extended LDIF
      #
      # LDAPv3
      # base with scope subtree
      # filter: (lastLoginTime:1.3.6.1.4.1.26027.1.4.5:=-1h)
      # requesting: uid cn lastLoginTime
      #

      # stefano.coletta@1789, people, users, example.com
      dn: uid=stefano.coletta@1789,ou=people,ou=users,dc=example,dc=com
      uid: stefano.coletta@1789
      cn: Coletta Stefano
      lastLoginTime: 20170203152207Z

      # search result
      search: 2
      result: 0 Success

      # numResponses: 2
      # numEntries: 1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s