Last Successful Authentication Time Stamp plug-in
You can record the time stamp that corresponds to the last successful authentication for a user so that you can display it on a web portal or implement security policies.
- Records successful time stamps for bind and user password compare operations.
- Records, by default, the last successful authentication time stamp for every authenticating user. You can configure the plug-in to record time stamps for selective users also.
- Supports only the simple bind and simple bind over SSL operations.
The plug-in is disabled by default for a directory server installation. To enable the plug-in, modify the server configuration as shown in the following example:
# ldapmodify -p server port -D admin DN -w admin PW
dn:CN=DIRECTORY,CN=RDBM BACKENDS,CN=IBM DIRECTORY,CN=SCHEMAS,CN=CONFIGURATION
changetype: modify
add: ibm-slapdPlugin
ibm-slapdPlugin: postoperation plug-in filename lastSuccessBindTsInit suffix-listpostoperationindicates that it records the time stamp after a successful authentication operation.plug-in filenameis the library file name for the plug-in as shown here for different operating systems:- Linux® and Solaris: liblsbt.so
- Windows: /lib64/liblsbt.dll
- AIX®: liblsbt.a
lastSuccessBindTsInitis the entry point for the plug-in. You must specify this parameter exactly as shown in the example.suffix-listis the list of the suffixes for which you want to include the bind time stamp recording. Separate each suffix with a:(colon). If you do not provide any suffixes, then by default all the suffixes are included in the bind time stamp recording.Do not include spaces before or after the commas in the suffixes. For example, if you want to include recording the time stamp for"ou=Finance, o=Acme.org"and"ou=marketing, o=Acme.org", then specify it in thesuffix-listas shown here:"OU=FINANCE,O=ACME.ORG":"OU=MARKETING,O=ACME.ORG"Note: If a suffix is not included when an explicit include list is set, the such suffix will be excluded.You can use this option to record the timestamp for the users under a specific subtree or subtrees. By default, all the users under all subtrees are included.
Plug-in attributes
- ibm-latestBindTimestamp
- Records the bind time stamp.
- ibm-prevBindTimestamp
- Records the time stamp that corresponds to the previous successful bind operation.
With the first bind operation, the plug-in records only the ibm-latestBindTimestamp attribute, because there are no previous successful bind operations for the user in the system.
Starting with the second bind operation, the plug-in assigns the value of ibm-latestBindTimestamp to ibm-prevBindTimestamp. The current time stamp is stored as the value of ibm-latestBindTimestamp.
The ibm-latestBindTimestamp and ibm-prevBindTimestamp attributes are operational attributes. They are not returned as part of the normal search results unless you ask for them explicitly. To explicitly modify or delete these attributes from the user entries, admin credentials with admin control are needed.
The plug-in supports the pass-through authentication scenarios where user entries are stored in the local subtrees by recording the successful authentication time stamp in the local user entries.
Plug-in usage scenarios
You can use the plug-in in the following scenarios:
- Implementing a security policy that requires a user account to be locked, if it remains inactive
for a predefined interval of time.
The difference between the values of the attributes ibm-latestBindTimestamp and ibm-prevBindTimestamp gives the time that elapsed since the previous successful authentication by the user. If this time exceeds the predefined interval, then the account can be locked.
- Displaying the last successful authentication time for a user on the web page.
Several web-based applications, such as net banking portals, display such information.