A pair of request and response controls can be used to obtain the recent login history. The request control, which has an OID of 1.3.6.1.4.1.30221.2.5.61 and no value, may be included in a bind request to indicate that the server should return the recent login history in the bind response. This is provided in the response control, which has an OID of 1.3.6.1.4.1.30221.2.5.62 and a value containing only the string representation of a JSON object with the recent login history. That object will have either or both of two top-level fields:
  • successful-attempts - This field ispresent if the server is configured to maintain a history of successful attempts, and its value will be an array of JSON objects with information about those successful attempts. In particular, each of those objects will contain the timestamp, client-ip-address, authentication-method, and additional-attempt-count fields as used in the ds-pwp-recent-login-history-json attribute.
  • failed-attempts - This field is present if the server is configured to maintain a history of failed attempts. Its value is an array of JSON objects with information about these failed attempts. In particular, each of those objects contains the timestamp, client-ip-address, authentication-method, failure-reason, and additional-attempt-count fields as used in the ds-pwp-recent-login-history-json attribute.

The response control is only returned if the server is configured to maintain a recent login history. When provided, the elements of the arrays are arranged in chronological order from most-recent to least-recent.

The UnboundID LDAP SDK for Java provides support for these controls, including enhanced support for retrieving information from the response control value. However, by ensuring that the request control does not have a value and that the response control value is a simple string, this information should be readily accessible to applications using other APIs.