You can maintain this history by count or duration, and you can configure the history separately for successful and failed sign-on attempts. Each record in the sign-on history contains the following:

  • The time of the sign-on attempt
  • The client IP address
  • The authentication method
  • The reason for failure for failed attempts

You can collapse information about multiple similar attempts on the same date to avoid flooding the history for accounts that bind frequently. Records have an additional attempt count that tracks the number of attempts with the same client IP address, authentications method, and failure reason on the same date. You can configure the server to maintain each attempt separately, or to only update the history at most once per day.

Recent sign-on history is disabled by default. You can enable and configure the recent sign-on history in password policy. You can retrieve sign-on history with the get recent login history control, available in the LDAP SDK or with the ldapsearch and ldapmodfy commands. The recent sign-on history is also available in the ds-pwp-state-json JSON attribute, the password policy state extended operation, and the manage-account command-line tool.

You can enable and configure the recent sign-on history with the following password policy configuration properties:

maximum-recent-login-history-successful-authentication-count
The maximum number of records that the server maintains about recent successful authentications.
maximum-recent-login-history-successful-authentication-duration
The maximum length of time for which the server maintains information about recent successful authentications.
maximum-recent-login-history-failed-authentication-count
The maximum number of records that the server maintains about recent failed authentication attempts.
maximum-recent-login-history-failed-authentication-duration
The maximum length of time for which the server maintains information about recent failed authentication attempts.
recent-login-history-similar-attempt-behavior
The behavior that the server exhibits for cases in which a user makes multiple authentication attempts on the same date in which all of the fields in the record other than the timestamp (client-ip-address, authentication-method, and potentially failure-reason) match.

Possible values for this property include the following:

collapse-similar-attempts-on-the-same-date
Indicates that the server only maintains one record for any given date with the same values for all non-timestamp fields, and it uses the additional-attempt-count field to keep track of the number of additional attempts that were collapsed into the same record. The timestamp field for that record reflects the most recent attempt on that date.

This is the default behavior.

maintain-every-attempt
Indicates that the server maintains a separate record for every attempt, regardless of how similar it is to a previous attempt although duplicate attempts within the same millisecond might not be preserved.

For more information, see Replication considerations.

update-at-most-once-per-day
Indicates that the server only maintains one record for any given date with the same values for all non-timestamp fields. This can help reduce the number of writes needed to maintain a recent sign-on history, but the value of the timestamp field might not accurately reflect the timestamp of the most recent attempt.

None of these properties are defined by default. If at least one of these properties is defined, the server maintains a recent sign-on history within the specified constraints.

If both the maximum-recent-login-history-successful-authentication-count and maximum-recent-login-history-successful-authentication-duration properties are defined, the server uses the more-restrictive value that applies to a given user. This is also true for the maximum-recent-login-history-failed-authentication-count and maximum-recent-login-history-failed-authentication-duration properties. For example, if you configure the password policy to maintain a successful count of 10 and a successful duration of 30 days, then a user who successfully authenticates on more than 10 dates in a 30-day period would be capped at 10 records. A user who authenticates less frequently would only have records for however many attempts they made within those 30 days.

The server can collapse multiple authentication attempts from the same date into a single record if other fields in the record (client-ip-address, authentication-method, and potentially failure-reason) match. This caps the number of records that are maintained if you want to maintain records by duration rather than count. Because multiple records can be generated for the same user on the same date, if something is different (such as a different IP address or authentication method), there is technically no limit to the number of records that can be generated when using only a duration-based cap. To mitigate this, you can specify a maximum count to place an upper bound on what information the server maintains for a given user.

The password policy state for a given user is only updated when that user attempts to authenticate to the server. A user might have records in their entry for authentication attempts that occurred outside of the maximum duration if they have not made any authentication attempt within that duration.

If you configure the server to maintain recent sign-on history for successful authentication attempts, then it keeps a record of the most recent attempt even if the attempt occurs outside of the maximum duration.

Note:

If the recent-login-history-similar-attempt-behavior is set to update-at-most-once-per-day, it keeps an attempt from the same date as the most recent attempt.

If you configure the server to maintain a history of failed attempts, then it provides information about the most recent failed attempt even if it is older than the maximum duration.

If you configure the password policy to maintain a recent sign-on history, the ds-pwp-state-json virtual attribute includes a recent-login-history field whose value is a JSON object with the same representation used in the get recent login history response control. It can also include the following additional fields that provide information about related configuration in the password policy:

  • maximum-recent-login-history-successful-authentication-count
  • maximum-recent-login-history-successful-authentication-duration-seconds
  • maximum-recent-login-history-failed-authentication-count
  • maximum-recent-login-history-failed-authentication-duration-seconds

The password policy state extended operation provides support for two additional operations:

  • An operation you can use to retrieve the recent sign-on history. The value returned in this operation is a JSON object in the same format as used in the get recent login history response control and the ds-pwp-state-json virtual attribute.
  • An operation that you can use to clear the get recent login history for a user.