Perhaps you want to know which of your users are logging in regularly, and which have not logged in for some time. Ludo explained how to do time-based comparison searches in OpenDJ.
Yet, OpenDJ directory server does not record last login time by default. You must set it up by adjusting password policy if you want to track which users are actively logging in.
Assuming you have installed OpenDJ and generated a few test users, then you have users subject to the default password policy.
$ ldapsearch -p 1389 -b dc=example,dc=com uid=user.0 pwdPolicySubentry dn: uid=user.0,ou=People,dc=example,dc=com pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
To have OpenDJ record when a user logs in, you set last-login-time properties in the password policy. One of the properties to set is the attribute to use, the other is the format of the time stamps to save.
OpenDJ comes with an attribute named
ds-pwp-last-login-time defined in the schema. The
ds-pwp-last-login-time attribute has string syntax, and so does not benefit from the time-based matching Ludo described in his blog. Instead, you can define an attribute with generalized time syntax to store the last login time.
$ cat /path/to/OpenDJ/config/schema/98-lastLogin.ldif # # Schema definition for a generalizedTimeMatch lastLoginTime attribute # dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema attributeTypes: ( lastLoginTime-oid NAME 'lastLoginTime' DESC 'Last time the user logged in' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 220.127.116.11.4.1.1418.104.22.168.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation X-ORIGIN 'https://marginnotes2.wordpress.com' )
Next, adjust the password policy to put a generalized time stamp on
$ dsconfig -p 4444 -h `hostname` -D "cn=Directory Manager" -w password set-password-policy-prop --policy-name "Default Password Policy" --set last-login-time-attribute:lastLoginTime --set last-login-time-format:"yyyyMMddHHmmss'Z'" -X -n
Check that OpenDJ tracks last login time, by first performing an LDAP search with a user name and password (effectively logging in), and then reading the value of lastLoginTime on the user’s entry.
$ ldapsearch -p 1389 -D uid=user.0,ou=people,dc=example,dc=com -w password -b dc=example,dc=com uid=user.0 cn dn: uid=user.0,ou=People,dc=example,dc=com cn: Aaccf Amar $ ldapsearch -p 1389 -b dc=example,dc=com uid=user.0 lastLoginTime dn: uid=user.0,ou=People,dc=example,dc=com lastLoginTime: 20110915210256Z
Now use Ludo’s advice to see who has logged over the last 3 months.
$ ldapsearch -p 1389 -b dc=example,dc=com "(lastLoginTime:22.214.171.124.4.1.26027.1.4.5:=-13w)" uid cn dn: uid=user.0,ou=People,dc=example,dc=com uid: user.0 cn: Aaccf Amar
A nice way of checking which users are actively logging in by authenticating to OpenDJ directory server.