From b527294153be3b79563c82c66102adc0004736c0 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 15 Apr 2024 19:54:12 +0200 Subject: Adding upstream version 2.6.7+dfsg. Signed-off-by: Daniel Baumann --- contrib/slapd-modules/lastbind/slapo-lastbind.5 | 118 ++++++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 contrib/slapd-modules/lastbind/slapo-lastbind.5 (limited to 'contrib/slapd-modules/lastbind/slapo-lastbind.5') diff --git a/contrib/slapd-modules/lastbind/slapo-lastbind.5 b/contrib/slapd-modules/lastbind/slapo-lastbind.5 new file mode 100644 index 0000000..82d666d --- /dev/null +++ b/contrib/slapd-modules/lastbind/slapo-lastbind.5 @@ -0,0 +1,118 @@ +.TH SLAPO-LASTBIND 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2009 Jonathan Clarke, All Rights Reserved. +.\" $OpenLDAP$ +.SH NAME +slapo-lastbind \- lastbind overlay to slapd +.SH SYNOPSIS +ETCDIR/slapd.conf +.SH DESCRIPTION +The +.B lastbind +overlay to +.BR slapd (8) +allows recording the timestamp of the last successful bind to entries +in the directory, in the +.B authTimestamp +attribute. +The overlay can be configured to update this timestamp only if it is +older than a given value, thus avoiding large numbers of write +operations penalizing performance. +One sample use for this overlay would be to detect unused accounts. + +Now that OpenLDAP has native support for most of this functionality, +storing the value in pwdLastSuccess to better interact with the Behera +Password Policy draft 10. Unless you require lastbind_forward_updates, +you should consider using that instead. + +.SH CONFIGURATION +The config directives that are specific to the +.B lastbind +overlay must be prefixed by +.BR lastbind\- , +to avoid potential conflicts with directives specific to the underlying +database or to other stacked overlays. + +.TP +.B overlay lastbind +This directive adds the +.B lastbind +overlay to the current database, see +.BR slapd.conf (5) +for details. + +.LP +This +.B slapd.conf +configuration option is defined for the lastbind overlay. It must +appear after the +.B overlay +directive: +.TP +.B lastbind-precision +The value +.B +is the number of seconds after which to update the +.B authTimestamp +attribute in an entry. If the existing value of +.B authTimestamp +is less than +.B +old, it will not be changed. +If this configuration option is omitted, the +.B authTimestamp +attribute is updated on each successful bind operation. +.TP +.B lastbind_forward_updates +Specify that updates of the authTimestamp attribute +on a consumer should be forwarded +to a provider instead of being written directly into the consumer's local +database. This setting is only useful on a replication consumer, and +also requires the +.B updateref +setting and +.B chain +overlay to be appropriately configured. + +.SH EXAMPLE +This example configures the +.B lastbind +overlay to store +.B authTimestamp +in all entries in a database, with a 1 week precision. +Add the following to +.BR slapd.conf (5): + +.LP +.nf + database + # ... + + overlay lastbind + lastbind-precision 604800 +.fi +.LP +.B slapd +must also load +.B lastbind.la, +if compiled as a run-time module; + +.SH FILES +.TP +ETCDIR/slapd.conf +default slapd configuration file +.SH SEE ALSO +.BR slapd.conf (5), +.BR slapd (8). +.LP +IETF LDAP password policy proposal by P. Behera, L. Poitou and J. +Sermersheim: documented in IETF document +"draft-behera-ldap-password-policy-10.txt". + +The +.BR slapo-lastbind (5) +overlay supports dynamic configuration via +.BR back-config. +.SH ACKNOWLEDGEMENTS +.P +This module was written in 2009 by Jonathan Clarke. It is loosely +derived from the password policy overlay. -- cgit v1.2.3