User Last Login Time

I'm trying to use DS6 built-in functionality for tracking user's last login time. I created a new password policy and enabled pwdKeepLastAuthTime attribute. Then I tried signing into Access Manager.

According to the documentation, an attribute pwdLastAuthTime should be added to the user entry, but it is not there.

Any ideas how I can get this to work?

[374 byte] By [apoona] at [2007-11-27 8:11:06]

«« Convert one xml to another XSLT
»» java101: Catching and Handling Exceptions question

# 1

Last login time is a feature provided with the new Directory Server password policy implementation introduced in DS 6 and is not part of the compatibility mode. Check the Directory Server password policy compatibility mode:

$ dsconf get-server-prop ... | grep 'pwd-compat'

pwd-compat-mode: DS5-compatible-mode

The Directory Server password policy compatibility mode must be advanced past DS5-compatible-mode:

$ ldapmodify ...

dn: cn=Password Policy,cn=config

changetype:modify

replace:pwdkeeplastauthtime

pwdkeeplastauthtime:TRUE

modifying entry cn=Password Policy,cn=config

ldap_modify: DSA is unwilling to perform

ldap_modify: additional info: (Password Policy: modify policy entry) "pwdKeepLastAuthTime: TRUE" is not supported in server mode DS5-compatible-mode ("cn=config" pwdCompat: 0).

$ dsconf pwd-compat ... to-DS6-migration-mode

$ dsconf get-server-prop ... | grep 'pwd-compat'

pwd-compat-mode: DS6-migration-mode

Now it should work. If not, please try binding directly to the directory server as the user (e.g., do an ldapsearch as that user) and check the entry.

solaris1a at 2007-7-12 19:54:57 >

top of Java-index,Web & Directory Servers,Directory Servers...

# 2

Thanks for the tip. I had MMR configured and one DS was in DS6 mode, and the other was in DS5 compatible mode. That may have been causing the problem.

So far I have only been able to retrieve the attribute using ldapsearch and explicitly specifying pwdlastauthtime in the filter. Is there anyways an application can retrieve this programmatically?

apoona at 2007-7-12 19:54:57 >

# 3

the pwdLastAuthTime attribute is an operational attribute and must be explicitely listed in the attributes to be returned.

ldapsearch -b"ou=people,dc=example,dc=com" "uid=John" pwdLastAuthTime

Of course, this can be achieved programmatically using LDAP APIs such as the LDAP C-SDK, the LDAP Java-SDK or JNDI .

Regards,

Ludovic.

ludovicpa at 2007-7-12 19:54:57 >

# 4

I am thinking of this in terms of Access Manager Client SDK and whether custom code using the SDK can retrieve this attribute.Let me know if I'm wrong, but from the sounds of it, operational attributes can be retrieved programmatically, as long as the attribute is specified.

apoona at 2007-7-12 19:54:57 >

# 5

I am not familiar enough with the AM SDK to answer this.But you're correct : operational attributes can be retrieved programmatically, as long as the attribute is specified.Regards,Ludovic.

ludovicpa at 2007-7-12 19:54:57 >

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

User Last Login Time

Web & Directory Servers Hot Topic

Web & Directory Servers

All Classified