Page created: 22 Oct 2020 |
Page updated: 7 Jul 2021
Historically, the server has offered support for maintaining a record of the most recent successful attempt.
This is not as full-featured as the recent login history, but it might still be in use in legacy environments or when the full functionality of the login history is not needed.
The password policy configuration offers the following properties for maintaining a last login time and IP address:
- The name of the attribute in which the last login time should be written. The
server has reserved the
ds-pwp-last-login-timeoperational attribute type for this purpose, and this value should not be changed.
- The format in which the server should record the last login time. If both this property and
last-login-time-attributeproperty are assigned values, then the server generates a last login time value after each successful authentication attempt and updates the user’s entry if the generated value does not match the value that is currently stored in the entry. Values for this property can use any valid format string that is compatible with the java.text.SimpleDateFormat class, but we recommend using one of the following values:
yyyyMMdd— Indicates that the server should maintain a last login time containing only the date. This should cause each user’s last login time to be updated at most once per day.
yyyyMMddHHmmss'Z'— Indicates that the server should maintain the last login time in generalized time format using precision to the nearest second. This should cause the last login time to be updated for each successful authentication, unless the user authenticates multiple times in the same second.
yyyyMMddHHmmss.SSS'Z'— Indicates that the server should maintain the last login time in generalized time format using precision to the nearest millisecond. This should cause the last login time to be updated for each successful authentication, unless the user authenticates multiple times in the same millisecond
- An optional set of alternative formats in which last login time values might
have previously been written. If you have changed the value of the
last-login-time-formatproperty, then you should update this property with any former values so that the server can decode values generated in one of those earlier formats.
- The name of the attribute that should be updated with the IP address of the client from
which the user last authenticated. The server has reserved the
ds-pwp-last-login-ip-addressoperational attribute type for this purpose, but the value is not set by default because doing so would enable this feature and update the user’s entry with the client IP address for each successful authentication attempt (unless the client IP address matches the current value for that attribute, in which case no update is needed).
See the config/sample-dsconfig-batch-files/enable-last-login-tracking-and-idle-lockout.dsconfig batch file for more information about enabling last login time and IP address tracking.