Bug 1654395 - [RFE] Automatically disable user accounts that have not been used for a specific period of time
Summary: [RFE] Automatically disable user accounts that have not been used for a speci...
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 8.1
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On: 1273040
Blocks: 1623566 1689138 1679810
TreeView+ depends on / blocked
 
Reported: 2018-11-28 16:47 UTC by Skip Wyatt
Modified: 2019-12-17 15:57 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of: 1273040
Environment:
Last Closed:
Type: ---
Target Upstream Version:


Attachments (Terms of Use)

Comment 3 Alexander Bokovoy 2019-02-11 14:33:18 UTC
The generic approach we discussed to take is:
 - use a coarse timestamp which is only updated once a day or a defined period of time (1hr, 8hr, etc)
 - replicate this timestamp instead of krblastsuccessfulauth
 - write a 389-ds plugin that uses the new timestamp attribute to decide on lockout
 - potentially provide an additional LDAP control for non-Kerberos/non-LDAP auth (ssh public keys, etc) to allow advisory notification from SSSD during PAM session phase
 - For the defined period of time, may be, add it to a password policy definition so that it is tracked in a single place

Comment 5 Dmitri Pal 2019-03-12 13:20:05 UTC
*** Bug 1273040 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.