Anonymous_User Absent Member.
Absent Member.
502 views

Last Login Time

How can I record Last Login Time from people who authenticate via LDAP
into eDir? We have people who log into the portals via LDAP, but use eDir
for authentication. It would be great to audit these accounts to know if
they are actually being used and when from an eDir standpoint.

Thanks!

Labels (1)
0 Likes
11 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Last Login Time

Hi,

spam@spam.com (JimmyV) wrote in news:w9OOi.10511$NG7.2038
@kovat.provo.novell.com:

> How can I record Last Login Time from people who authenticate via LDAP
> into eDir? We have people who log into the portals via LDAP, but use eDir
> for authentication. It would be great to audit these accounts to know if
> they are actually being used and when from an eDir standpoint.

hmm, I doubt that this will be recorded in NDS, at least not by default.
Furthermore I guess that most LDAP apps do only a password verification, and
no true login....; but just check self: you can simply lookup the
lastlogintime for a user in NDS with either nwadm32 or C1, then 'login' with
that user via LDAP, and then check again.

Günter.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Last Login Time

I was told this was possible if I login via LDAP Bind instead of LDAP
Compare. Where would I change these settings?

Guenter wrote:

> Hi,


> spam@spam.com (JimmyV) wrote in news:w9OOi.10511$NG7.2038
> @kovat.provo.novell.com:


>> How can I record Last Login Time from people who authenticate via LDAP
>> into eDir? We have people who log into the portals via LDAP, but use eDir
>> for authentication. It would be great to audit these accounts to know if
>> they are actually being used and when from an eDir standpoint.

> hmm, I doubt that this will be recorded in NDS, at least not by default.
> Furthermore I guess that most LDAP apps do only a password verification, and
> no true login....; but just check self: you can simply lookup the
> lastlogintime for a user in NDS with either nwadm32 or C1, then 'login' with
> that user via LDAP, and then check again.


> Günter.



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Last Login Time

Hi,
spam@spam.com (JimmyV) wrote in
news:r1TOi.10759$NG7.14@kovat.provo.novell.com:

> I was told this was possible if I login via LDAP Bind instead of LDAP
> Compare. Where would I change these settings?

hmm, yes, that should do; but keep in mind that you then also consume a
connection (at least I think so); what app do you mean? Novell Portal? This
does probably already a bind....; otherwise tell me what software you use,
and point a link to it here if its OpenSource.
Just as I said before: check if your app / portal does already - if so I
might be able to point you to an UCS/UCX script which can programatically
check for the lastlogintime from Perl or PHP.

Günter.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Last Login Time

They are using the BEA Portal product. The portal guys have a call into
BEA. I'm just not sure what specifically to ask of them.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Last Login Time

Hi,
spam@spam.com (JimmyV) wrote in news:pX5Pi.11102$NG7.9643
@kovat.provo.novell.com:

> They are using the BEA Portal product. The portal guys have a call into
> BEA. I'm just not sure what specifically to ask of them.

sorry, I dont know this; can you explain a bit more?
Is it OpenSource, or a Novell product; and in what language is it written?

Günter.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Last Login Time

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Last Login Time

Yes you can read the lastLoginTime from LDAP (or JNDI) and it is set
from a bind.

You can search for loginTime>=20021031173925Z (or any appropriately
formated date) and it will work.
-jim

JimmyV wrote:
> It is this product -
> http://edocs.bea.com/alui/integration/ldapids/docs22/relnotes/Release_Notes_ALI_Identity_Service-LDAP_v2-2.htm
>
>
>

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Last Login Time

Jim,

This would be good for an ldap search. I'm simply looking for a way for
the application, which logs in via ldap, to check for last login time -
much like how the Windows Client32 does - and use that information to
verify against the Password Expiration Interval so that if a password
expires in eDirectory, it will also disallow this application to login via
ldap for that account. At this time, accounts can login via ldap even
though their eDir password has expired.

Jim Willeke wrote:

> Yes you can read the lastLoginTime from LDAP (or JNDI) and it is set
> from a bind.


> You can search for loginTime>=20021031173925Z (or any appropriately
> formated date) and it will work.
> -jim


> JimmyV wrote:
>> It is this product -
>>

http://edocs.bea.com/alui/integration/ldapids/docs22/relnotes/Release_Notes_ALI_Identity_Service-LDAP_v2-2.htm
>>
>>
>>



0 Likes
9159506
New Member.

Re: Last Login Time

Hello Jimmy,

I found there is a lot of configuration parameters:
http://e-docs.bea.com/wls/docs90/ConsoleHelp/pagehelp/Securitysecurityauthenticatornovellauthenticatorconfigproviderspecifictitle.html
One small mistake here may produce strange things. Some of parameters
are not clear for me. Just for example: Cache Enabled, Cache Size, Cache
TTL. It would be very nice if you can explain them.

Did you try to sniff LDAP trace between BEA portal and NDS LDAP server?

Regards,
Andrey

JimmyV wrote:
> Jim,
>
> This would be good for an ldap search. I'm simply looking for a way for
> the application, which logs in via ldap, to check for last login time -
> much like how the Windows Client32 does - and use that information to
> verify against the Password Expiration Interval so that if a password
> expires in eDirectory, it will also disallow this application to login
> via ldap for that account. At this time, accounts can login via ldap
> even though their eDir password has expired.
>
> Jim Willeke wrote:
>
>> Yes you can read the lastLoginTime from LDAP (or JNDI) and it is set
>> from a bind.

>
>
>> You can search for loginTime>=20021031173925Z (or any appropriately
>> formated date) and it will work.
>> -jim

>
>
>> JimmyV wrote:
>>
>>> It is this product -

>
> http://edocs.bea.com/alui/integration/ldapids/docs22/relnotes/Release_Notes_ALI_Identity_Service-LDAP_v2-2.htm
>
>
>>>
>>>
>>>

>
>

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Last Login Time

We just heard back from BEA. They said the trace they received from our
portal guy indicated that they were doing a Bind, not a Compare. Strange
in that this seems to be the only product that does this in our
environment. Still checking into it.

Figured you'd want to know.

andreyk@abgcard.ru wrote:

> Hello Jimmy,


> I found there is a lot of configuration parameters:
>

http://e-docs.bea.com/wls/docs90/ConsoleHelp/pagehelp/Securitysecurityauthenticatornovellauthenticatorconfigproviderspecifictitle.html
> One small mistake here may produce strange things. Some of parameters
> are not clear for me. Just for example: Cache Enabled, Cache Size, Cache
> TTL. It would be very nice if you can explain them.


> Did you try to sniff LDAP trace between BEA portal and NDS LDAP server?


> Regards,
> Andrey


> JimmyV wrote:
>> Jim,
>>
>> This would be good for an ldap search. I'm simply looking for a way for
>> the application, which logs in via ldap, to check for last login time -
>> much like how the Windows Client32 does - and use that information to
>> verify against the Password Expiration Interval so that if a password
>> expires in eDirectory, it will also disallow this application to login
>> via ldap for that account. At this time, accounts can login via ldap
>> even though their eDir password has expired.
>>
>> Jim Willeke wrote:
>>
>>> Yes you can read the lastLoginTime from LDAP (or JNDI) and it is set
>>> from a bind.

>>
>>
>>> You can search for loginTime>=20021031173925Z (or any appropriately
>>> formated date) and it will work.
>>> -jim

>>
>>
>>> JimmyV wrote:
>>>
>>>> It is this product -

>>
>>

http://edocs.bea.com/alui/integration/ldapids/docs22/relnotes/Release_Notes_ALI_Identity_Service-LDAP_v2-2.htm
>>
>>
>>>>
>>>>
>>>>

>>
>>



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Last Login Time

If you do a compare, you will NOT update the lastlogintime attribute.

Also, every application should perform a bind as the user for
authentication as a compare will not utilize security items within the
LDAP server like password expired or (in some cases account disabled) etc.

-jim

JimmyV wrote:
> We just heard back from BEA. They said the trace they received from our
> portal guy indicated that they were doing a Bind, not a Compare. Strange
> in that this seems to be the only product that does this in our
> environment. Still checking into it.
>
> Figured you'd want to know.
>
> andreyk@abgcard.ru wrote:
>
>> Hello Jimmy,

>
>> I found there is a lot of configuration parameters:
>>

> http://e-docs.bea.com/wls/docs90/ConsoleHelp/pagehelp/Securitysecurityauthenticatornovellauthenticatorconfigproviderspecifictitle.html
>
>> One small mistake here may produce strange things. Some of parameters
>> are not clear for me. Just for example: Cache Enabled, Cache Size,
>> Cache TTL. It would be very nice if you can explain them.

>
>> Did you try to sniff LDAP trace between BEA portal and NDS LDAP server?

>
>> Regards,
>> Andrey

>
>> JimmyV wrote:
>>> Jim,
>>>
>>> This would be good for an ldap search. I'm simply looking for a way
>>> for the application, which logs in via ldap, to check for last login
>>> time - much like how the Windows Client32 does - and use that
>>> information to verify against the Password Expiration Interval so
>>> that if a password expires in eDirectory, it will also disallow this
>>> application to login via ldap for that account. At this time,
>>> accounts can login via ldap even though their eDir password has expired.
>>>
>>> Jim Willeke wrote:
>>>
>>>> Yes you can read the lastLoginTime from LDAP (or JNDI) and it is set
>>>> from a bind.
>>>
>>>
>>>> You can search for loginTime>=20021031173925Z (or any appropriately
>>>> formated date) and it will work.
>>>> -jim
>>>
>>>
>>>> JimmyV wrote:
>>>>
>>>>> It is this product -
>>>
>>>

> http://edocs.bea.com/alui/integration/ldapids/docs22/relnotes/Release_Notes_ALI_Identity_Service-LDAP_v2-2.htm
>
>>>
>>>
>>>>>
>>>>>
>>>>>
>>>
>>>

>
>

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.