Univention Bugzilla – Bug 49700
Support monitoring of last successful LDAP bind to simplify identifying inactive accounts
Last modified: 2020-03-18 12:27:40 CET
This bug is a feature request: A customer asked for a method to find inactive accounts by monitoring their last successful LDAP bind. OpenLDAP offers the overlay slapo-lastbind for this, see http://manpages.ubuntu.com/manpages/bionic/man5/slapo-lastbind.5.html This would work per server. Unfortunately the customer cannot simply activate this, because that would lead to two-three problems: 1. When activating this on the master, all replicating LDAP servers will stop working, because the replicated schema contains the new "authTimestamp" attribute, which has a usage flag of "dSAOperation", which OpenLDAP refuses to load. This needs to be filtered out of the schema in replication.py. 2. After that, the replicating LDAP servers will throw a fail.ldif because they don't know the replicated attribute. So replication.py probably also should filter out this attribute when replicating objects. 3. The overlay should get activated on each server. For these reasons it would be good to adjust replication.py to filter out the attribute. It may also be helpful to make this "lastbind" feature configurable via UCR-Variable per server.
Can't we create a LDAP ACL, which disallows read access to the attribute for servers not having the overlay activated? (instead of adjusting replication.py) access to attrs="authTimestamp" by filter="&((objectType=DC_computer)(!(univentionService=slapo_lastbind)))" none stop by * +0 break
Good additional layer of protection, thanks for proposing this. But see point 1: slapd hangs after schema replication if replicaton.py doesn't filter the attrivute out of the schema. What I described in detail in the list is a standard procedure as you can see by checking out e.g. the handling of memberof replication.py. Also I think that each system is repsonsible of protecting itself.
FYI: If Samba/AD is installed the customer may refer to the lastLogonTimeStamp attribute, see https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx Sites like https://www.epochconverter.com/ldap may bew helpful to convert Windows FILETIME to something readable.
Just FYI, the consulting point of view: Samba/AD "lastLogonTimeStamp" is usually the way to go for customers in PS projects. Unfortunately this only works in environments where all users authenticate primarily against Samba/AD. In environments without Samba/AD, the most used workaround is to implement password policies where users are forced to renew their password regularly. Users which didn't renew their expired password in a certain time interval are considered inactive. This is not very practical and the overlay slapo-lastbind sounds like the "correct" approach to solve such requirements.
It may be a good idea to e.g. create a cli tool then, that can be used to query the max of lastLogonTimeStamp and authTimestamp, if present.
requested by another customer who is using the S4-based workaround atm. This customer is using Linux/LDAP-based clients it may happen that there is no lastLogonTimeStamp is available. PCI-DSS regulations may apply to this customer with the requirement to disable accounts that havent been used for some time.
7d1ae69d4f Bug #49700: Merge branch 'jkeiser/4.4-3/lastbind' into 4.4-3 d1023a2ddb Bug #49700: yaml 34ddd880e6 Bug #49700: debian changelog e4868a7e52 Bug #49700: tests bf9ccce3c7 Bug #49700: univention-lastbind script a1d8eb4b47 Bug #49700: filter out authTimestamp from ldap schema 0933293824 Bug #49700: slapo-lastbind config Successful build Package: univention-directory-replication Version: 12.0.0-4A~4.4.0.202002241532 Successful build Package: univention-ldap Version: 15.0.0-35A~4.4.0.202002241534 Successful build Package: ucs-test Version: 9.0.3-158A~4.4.0.202002241534 ----------- Added ldap/overlay/lastbind ldap/overlay/lastbind/precision ucr variables. If ldap/overlay/lastbind is activated then the timestamp of an successful ldap bind is stored in the 'authTimestamp' attribute on the user (on that ldap server; not replicated). Added the script /usr/share/univention-ldap/univention_lastbind.py The script can be executed for one or all users and it will collect all 'authTimestamp' values from all reachable ldap servers and store the youngest of them into the newly added 'lastbind' extended attribute on the user.
OK: schema extension OK: UCRv ldap/overlay/lastbind; ldap/overlay/lastbind/precision + templates OK: authTimestamp gets written on every LDAP bind OK: authTimestamp is not replicated OK: /usr/share/univention-ldap/univention_lastbind.py {--user,--allusers} writing to UDM attribute lastbind, ldap Attribute univentionAuthTimestamp ~~: authTimestamp is written for every account that does a bind, e.g. cn=admin, computerobjects, etc. The lastbind overlay has no option to limit the account by a filter. To avoid too many LDAP modifications ldap/overlay/lastbind/precision should be defined - the overlay example configures an example of 1 week (604800).
I guess the test tests/10_ldap/110_univention_lastbind.py broke the jenkins tests. e.g. slave: *** BEGIN *** [u'/usr/bin/py.test', '110_univention_lastbind.py'] *** *** 10_ldap/110_univention_lastbind.py *** Test the management/univention-ldap/scripts/univention_lastbind.py script *** *** START TIME: 2020-02-25 01:04:48 *** ============================= test session starts ============================== platform linux2 -- Python 2.7.13, pytest-3.0.6, py-1.4.32, pluggy-0.4.0 rootdir: /usr/share/ucs-test/10_ldap, inifile: collected 6 items 110_univention_lastbind.py ...... ========================== 6 passed in 51.60 seconds =========================== *** END TIME: 2020-02-25 01:05:41 *** *** TEST DURATION (H:MM:SS.ms): 0:00:52.993215 *** *** END *** 0 *** after that ldap replication seems to be broken 25.02.20 01:05:54.441 LISTENER ( WARN ) : replication: Can't contact LDAP server: retrying 25.02.20 01:05:54.444 LISTENER ( ERROR ) : replication: Undefined attribute type; dn="cn=slave094,cn=dc,cn=computers,dc=autotest094,dc=local": Error 25.02.20 01:05:54.444 LISTENER ( ERROR ) : additional info: entry update failed 25.02.20 01:05:54.445 LISTENER ( PROCESS ) : Exporting /etc/krb5.keytab on domaincontroller_slave 25.02.20 01:05:54.528 LISTENER ( ERROR ) : 'failed.ldif' exists. Check for /var/lib/univention-directory-replication/failed.ldif I will disable the test!
(In reply to Felix Botner from comment #9) > I will disable the test! done, restarted the test, lets see if this helps
QA feedback fbf0e1df5d Bug #49700: yaml 18ae51a511 Bug #49700: yaml 1daff19713 Bug #49700: debian changelog 6192d44d6c Bug #49700: install script only on master/backup in new binary package. gt/lt filtering for lastbind extended attribute Successful build Package: univention-ldap Version: 15.0.0-36A~4.4.0.202002261432 Successful build Package: univention-server Version: 14.0.0-12A~4.4.0.202002261435
Documentation in jkeiser/4.4-3/lastbind http://jenkins.knut.univention.de:8080/view/Doku/job/BuildDocBookBranch/192/artifact/webroot/handbuch-4.4.html#users:lastbind-overlay-module http://jenkins.knut.univention.de:8080/view/Doku/job/BuildDocBookBranch/192/artifact/webroot/manual-4.4.html#users:lastbind-overlay-module SDB article (unlisted): https://help.univention.com/t/activating-the-lastbind-overlay-module/14404
7e586515c1 Bug #49700: yaml 4375d3b2c7 Bug #49700: Merge branch 'jkeiser/4.4-3/lastbind' into 4.4-3 a15502b2bd Bug #49700: debian changelog dc7dff3762 Bug #49700: adjust 10_ldap/110_univention_lastbind.py 8a822c9e7a Bug #49700: adjust configuration of lastbind precision default 3cbf171905 Bug #49700: doc for ucs manual and sdb article Successful build Package: univention-ldap Version: 15.0.0-37A~4.4.0.202002281212 Successful build Package: ucs-test Version: 9.0.3-161A~4.4.0.202002281215
d1448fb1e0 Bug #49700: yaml 234fb751cd Bug #49700: Merge branch 'jkeiser/4.4-3/lastbind' into 4.4-3 12750924d7 Bug #49700: debian changelog fa15028c31 Bug #49700: increase default for ldap/overlay/lastbind/precision 6f01e7551b Bug #49700: lastbind docs
OK: univention-ldap -- UCR template for lastbind module, UCRVs ldap/overlay/lastbind ldap/overlay/lastbind/precision in package univention-ldap-server OK: NEW package univention-ldap-config-master (gets installed on DC Master + Backup) with script /usr/share/univention-ldap/univention_lastbind.py univention_lastbind.py: - collect authTimestamp from all users with --allusers, or only one with --user - Written to UDM Attribute lastbind, LDAPattr univentionAuthTimestamp OK: ldapsearch for univentionAuthTimestamp with ">=" and "<=" comparison is possible OK: docs, i added a small change in commit e585026d64 OK: SDB article https://help.univention.com/t/14404 OK: univention-ldap.yaml, univention-server.yaml todo: tests
10_ldap.110_univention_lastbind failed in AD Member Mode Setup's see https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-3/job/ADMemberMultiEnv/lastCompletedBuild/testReport/
and on s4 backup in the errata Tests https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-3/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=backup/testReport/
I fixed the test in 232ba22a Explicitly use portnumber with -h in ldapsearch
f7ef0efd5f Bug #49700: debian changelog cdce8fa501 Bug #49700: 110_univention_lastbind.py cleanup + test tracebacks Successful build Package: ucs-test Version: 9.0.3-169A~4.4.0.202003051705 ---- Added warning about deactivating the lastbind overlay module to sdb article https://help.univention.com/t/activating-the-lastbind-overlay-module/14404
OK: Tests OK: SDB article OK: yaml Verified
Test still fails in ad-member mode. Is guess the reason is the fixed binddn and bindpwd in the test. Please use the value of tests/domainadmin/account as binddn and the filename in tests/domainadmin/pwdfile as bindpwdfile.
Lets see if my fix works: ce788281 ucs-test 9.0.3-177A~4.4.0.202003121752
I found no scenario where the test failed in the last test run. Setting bug back to verified
<http://errata.software-univention.de/ucs/4.4/496.html> <http://errata.software-univention.de/ucs/4.4/497.html> <http://errata.software-univention.de/ucs/4.4/498.html>