Recent sign on history
PingDirectory server can maintain a history of recent successful and failed sign on attempts.
If enabled, it maintains the following information about each recorded attempt:
-
A Boolean value indicating whether the attempt was successful
-
A timestamp, formatted in the ISO 8601 format described in RFC 3339, indicating when the attempt occurred
-
The name of the authentication method that was attempted (for example, “simple” or “SASL PLAIN”)
-
The IP address of the client that made the attempt, if available
-
A general reason that the authentication attempt failed for failed attempts
-
An optional additional attempt count that can be used to indicate how many other attempts with the same properties (successful, authentication method, client IP address, and failure reason) occurred on the same date
Enabling recent login history
The following password policy configuration properties are used to manage recent login history tracking:
maximum-recent-login-history-successful-authentication-count
-
The maximum number of successful attempts to maintain in the recent login history.
maximum-recent-login-history-successful-authentication-duration
-
The maximum length of time to retain successful login attempts in the recent login history.
maximum-recent-login-history-failed-authentication-count
-
The maximum number of failed attempts to maintain in the recent login history.
maximum-recent-login-history-failed-authentication-duration
-
The maximum length of time to retain failed attempts in the recent login history.
recent-login-history-similar-attempt-behavior
-
The behavior to exhibit for clients with multiple similar attempts (with the same values for the successful, authentication method, client IP address, and failure reason fields) on the same date (within the UTC time zone). Allowed values include:
-
collapse-similar-attempts-on-the-same-date
— Indicates that multiple similar attempts should be collapsed into a single record. The timestamp of that record reflects the most recent attempt on that date, and the additional attempt count reflects the number of additional similar attempts that were collapsed. This is the default behavior. -
maintain-every-attempt
— Indicates that the server should not collapse multiple similar attempts and that each attempt is maintained as a separate record in the recent login history. Clients that authenticate multiple times per day can have multiple records per day. -
update-at-most-once-per-day
— Indicates that the server should not collapse multiple similar attempts and that only the first such attempt on any given day is recorded. This can reduce the number of writes required to maintain the recent login history.
-
If either the maximum-recent-login-history-successful-authentication-count
or the maximum-recent-login-history-successful-authentication-duration
properties has a value, then the server maintains a history of recent successful attempts. If both properties are configured, then the server can purge information about successful attempts that match the criteria for either. This is useful, for example, if you usually want to keep records based on a duration, but want to add protection against the history growing too large from an excessive number of records created within that duration.
Similarly, the server maintains a record of recent failed authentication attempts if either or both the maximum-recent-login-history-failed-authentication-count
and maximum-recent-login-history-failed-authentication-duration
properties are configured. It is possible to maintain a record of successful attempts without a record of failed attempts, to maintain a record of failed attempts without successful attempts, or to maintain a record of both successful and failed attempts. By default, no recent login history is maintained.
If the |
See the config/sample-dsconfig-batch-files/enable-recent-login-history.dsconfig
batch file for more information about configuring a recent login history.
Retrieving a user’s recent login history
If the server is configured to maintain a recent login history for a user, then there are several ways that this history can be retrieved. They include:
-
The client can include the get recent login history request control in the bind request. If the bind succeeds, then the server includes a corresponding response control in the bind result. The UnboundID LDAP SDK for Java provides support for these controls, and the
ldapsearch
andldapmodify
command-line tools both offer the--getRecentLoginHistory
argument that can be used to retrieve the history from the command line. -
If the ds-pwp-state-json virtual attribute is enabled, then it might include a
recent-login-history
field whose value is a JSON object with information about recent successful and failed attempts for that user. -
The password policy state extended operation (or the
manage-account command-line
tool) can be used to retrieve the user’s recent login history.