Thursday, June 18, 2009

How to track Last Successful Login Time

There is a new requirement from my Thai customer today. They ask whether or not Sun Directory Server is able to capture the last authentication time of each user. Bank is usually very sensitive regarding this matter.

Luckily, with Sun Directory Server 6 onwards, the feature is there with this new attribute pwdKeepLastAuthTime.

However, do note the following:

  • pwdKeepLastAuthTime feature is not enabled by default
  • Directory Server, by default, is in DS5-compatible-mode
  • Directory Server has to be DS6-mode compatible, in order to enable pwdKeepLastAuthTime
  • The server state can move only towards stricter compliance with the new password policy specifications. It implies "no way to rollback once you make the change".

Special Note:

Using this feature can affect performance. When you configure Directory Server to save pwdLastAuthTimetimestamps, the server must perform an internal modify operation for each successful bind.


Unless it is really a necessity, I do not recommend enabling this feature.


1 comment: