Bug 1654395

Summary: [RFE] Automatically disable user accounts that have not been used for a specific period of time
Product: Red Hat Enterprise Linux 9 Reporter: Skip Wyatt <awyatt>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: ASSIGNED --- QA Contact: ipa-qe <ipa-qe>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: Aaron.Boudreaux, abokovoy, asakure, baptiste.agasse, briasmit, charles_sheridan, cilmar, cobrown, cparadka, dleroux, duboyd, fcami, frenaud, gparente, ipa-maint, Isabel.hernanz, jlyle, jwooten, kemyers, ksiddiqu, ldelouw, mescanfe, mkosek, mreinke, msauton, nsoman, pasik, peter.mittermayer, pierre-yves.goubet, pvoborni, rcritten, rvdwees, suwu, tmihinto, tonflo, tscherf, vmishra, wdh
Target Milestone: betaKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1273040 Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1273040    
Bug Blocks: 1623566, 1679810, 1689138    

Comment 3 Alexander Bokovoy 2019-02-11 14:33:18 UTC 
The generic approach we discussed to take is:
 - use a coarse timestamp which is only updated once a day or a defined period of time (1hr, 8hr, etc)
 - replicate this timestamp instead of krblastsuccessfulauth
 - write a 389-ds plugin that uses the new timestamp attribute to decide on lockout
 - potentially provide an additional LDAP control for non-Kerberos/non-LDAP auth (ssh public keys, etc) to allow advisory notification from SSSD during PAM session phase
 - For the defined period of time, may be, add it to a password policy definition so that it is tracked in a single place
Comment 5 Dmitri Pal 2019-03-12 13:20:05 UTC 
*** Bug 1273040 has been marked as a duplicate of this bug. ***
Comment 19 W. de Heiden 2021-02-10 11:01:16 UTC 
Any progress on this most interesting RFE?
Comment 36 pmittermayer 2023-05-24 11:01:47 UTC 
Will this feature ever be available for IDM on RHEL8 or even to RHEL9? The initial request is already from 2018 ... It is also part of the FreeIPA design document for several years now.
Comment 37 Alexander Bokovoy 2023-05-24 11:14:29 UTC 
This feature is currently not considered for development in near future due to other, more pressing tasks.

https://freeipa.readthedocs.io/en/latest/designs/disable-stale-users.html describes a potential design but is not implemented.
As described in the design document, there is no good way to identitify activity of users for all supported authentication scenarios in FreeIPA.
One common use case that cannot be handled is ssh private key authentication without use of Kerberos or LDAP authentication.