The request control, which has an OID of 1.3.6.1.4.1.30221.2.5.61 and no value, can be included in a bind request to indicate that the server should return the recent sign-on history in the bind response. This is provided in the response control, which has an OID of 1.3.6.1.4.1.30221.2.5.62 and a value containing only the string representation of a JSON object with the recent sign-on history.

The JSON object will have one or both of two top-level fields:

successful-attempts
This field is present if the server is configured to maintain a history of successful attempts, and its value is an array of JSON objects with information about those successful attempts.

In particular, each of those objects contains the following fields, as used in the ds-pwp-recent-login-history-json attribute:

  • timestamp
  • client-ip-address
  • authentication-method
  • additional-attempt-count
failed-attempts
This field is present if you configure the server to maintain a history of failed attempts, and its value is an array of JSON objects with information about these failed attempts.

In particular, each of those objects contains the following fields, as used in the ds-pwp-recent-login-history-json attribute:

  • timestamp
  • client-ip-address
  • authentication-method
  • failure-reason
  • additional-attempt-count

The response control is only returned if the server is configured to maintain a recent sign-on history. When provided, the elements of the arrays are arranged in chronological order from most-recent to least-recent.

The UnboundID LDAP SDK for Java provides support for these controls, including enhanced support for retrieving information from the response control value. By ensuring that the request control does not have a value and that the response control value is a simple string, this information is readily accessible to applications using other APIs.