You can configure the server to maintain a recent sign-on history for both successful and failed sign-on attempts.
You can maintain this history by count or duration, and you can configure the history separately for successful and failed sign-on attempts. Each record in the sign-on history contains the following:
- The time of the sign-on attempt
- The client IP address
- The authentication method
- The reason for failure for failed attempts
You can collapse information about multiple similar attempts on the same date to avoid flooding the history for accounts that bind frequently. Records have an additional attempt count that tracks the number of attempts with the same client IP address, authentications method, and failure reason on the same date. You can configure the server to maintain each attempt separately, or to only update the history at most once per day.
Recent sign-on history is disabled by default. You can enable and configure the recent
sign-on history in password policy. You can retrieve sign-on history with the
get recent login history control, available in the LDAP SDK or
with the ldapsearch and ldapmodfy commands. The
recent sign-on history is also available in the ds-pwp-state-json
JSON
attribute, the password policy state extended operation, and the
manage-account command-line tool.
You can enable and configure the recent sign-on history with the following password policy configuration properties:
- maximum-recent-login-history-successful-authentication-count
- The maximum number of records that the server maintains about recent successful authentications.
- maximum-recent-login-history-successful-authentication-duration
- The maximum length of time for which the server maintains information about recent successful authentications.
- maximum-recent-login-history-failed-authentication-count
- The maximum number of records that the server maintains about recent failed authentication attempts.
- maximum-recent-login-history-failed-authentication-duration
- The maximum length of time for which the server maintains information about recent failed authentication attempts.
- recent-login-history-similar-attempt-behavior
- The behavior that the server exhibits for cases in which a user makes multiple
authentication attempts on the same date in which all of the fields in the
record other than the timestamp (
client-ip-address
,authentication-method
, and potentiallyfailure-reason
) match.Possible values for this property include the following:
None of these properties are defined by default. If at least one of these properties is defined, the server maintains a recent sign-on history within the specified constraints.
If both the maximum-recent-login-history-successful-authentication-count and maximum-recent-login-history-successful-authentication-duration properties are defined, the server uses the more-restrictive value that applies to a given user. This is also true for the maximum-recent-login-history-failed-authentication-count and maximum-recent-login-history-failed-authentication-duration properties. For example, if you configure the password policy to maintain a successful count of 10 and a successful duration of 30 days, then a user who successfully authenticates on more than 10 dates in a 30-day period would be capped at 10 records. A user who authenticates less frequently would only have records for however many attempts they made within those 30 days.
The server can collapse multiple authentication attempts from the same date into a single record if other fields in the record (client-ip-address, authentication-method, and potentially failure-reason) match. This caps the number of records that are maintained if you want to maintain records by duration rather than count. Because multiple records can be generated for the same user on the same date, if something is different (such as a different IP address or authentication method), there is technically no limit to the number of records that can be generated when using only a duration-based cap. To mitigate this, you can specify a maximum count to place an upper bound on what information the server maintains for a given user.
The password policy state for a given user is only updated when that user attempts to authenticate to the server. A user might have records in their entry for authentication attempts that occurred outside of the maximum duration if they have not made any authentication attempt within that duration.
If you configure the server to maintain recent sign-on history for successful authentication attempts, then it keeps a record of the most recent attempt even if the attempt occurs outside of the maximum duration.
If the recent-login-history-similar-attempt-behavior
is set to
update-at-most-once-per-day
, it keeps an attempt from the same
date as the most recent attempt.
If you configure the server to maintain a history of failed attempts, then it provides information about the most recent failed attempt even if it is older than the maximum duration.
If you configure the password policy to maintain a recent sign-on history, the
ds-pwp-state-json virtual attribute includes a
recent-login-history field whose value is a JSON object with
the same representation used in the get recent login history
response
control. It can also include the following additional fields that provide information
about related configuration in the password policy:
- maximum-recent-login-history-successful-authentication-count
- maximum-recent-login-history-successful-authentication-duration-seconds
- maximum-recent-login-history-failed-authentication-count
- maximum-recent-login-history-failed-authentication-duration-seconds
The password policy state extended operation provides support for two additional operations:
- An operation you can use to retrieve the recent sign-on history. The value returned in this
operation is a JSON object in the same format as used in the
get recent login history
response control and theds-pwp-state-json
virtual attribute. - An operation that you can use to clear the
get recent login history
for a user.