Hello Jon,
We are currently running IBM Security Directory Suite 8.0.1.8 and the last successful authentication time stamp works great in my development machine. However, it took some trail and errors to get it working as I bumped into that the server just wanted to start up in configuration mode, apparently, this feature is not enabled either on the SDS suite limited edition license.
GLPSRV237E You do not have the entitlement to use '1.3.18.0.2.32.106' feature.
So I added a standard edition license to my local dev environment and it worked perfectly. Just wondering, this is a basic feature and its kind of odd why its not implemented in the limited edition as well.
I would like to argue since the ISAM AAC dont add timestamps to accounts by default and the SDS limited edition dont have this feature by default we are lacking some important integrity information for our accounts. I do find this logic a bit strange since we would like to use the AAC but if this attribute cannot be updated without some "workarounds" we will have to roll back to only using the pkmslogin.
What are your thoughts on this? Do you think its likely that a RFE will fix this or will the SDS team want us to upgrade our license in order to use this feature with the AAC?
Best regards
Magnus
------------------------------
Magnus
------------------------------
Original Message:
Sent: 03-05-2019 05:16 AM
From: Jon Harry
Subject: AAC - Infomap and secpwdlastused
I'm a bit worried about the idea of invoking pdadmin for this. It seems like that makes the Policy Server part of runtime flow which is not usually a good idea. It may have performance and availability implications.
A quick search shows that there is a plugin for IBM Directory Server 6.4 which allows it to maintain its own "last login" attributes. However, not sure if this is available with the IBM Directory Server bundled with ISAM (it mentions premium). Anyway, here is the link:
https://www.ibm.com/support/knowledgecenter/en/SSVJJU_6.4.0/com.ibm.IBMDS.doc_6.4/ds_ag_last_successful_authentication_timestamp_plugin.html
It might be possible to achieve the same thing by POSTing username/password to WebSEAL /pkmslogin.form - I think this would also cause the timestamps to be updated. There's a performance implication here too though - the WebSEAL would create a session in response to this which would use additional memory. Maybe you could have a dummy WebSEAL instance just for this.
It seems like there should be an RFE here - it seems like an oversight that the built-in AAC username/password mechanism doesn't update this built-in field.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: 03-04-2019 10:29 AM
From: Magnus Bengtsson
Subject: AAC - Infomap and secpwdlastused
Hello,
We are looking into some issues with the secPwdLastUsed attribute in our external Security Directory Suite that is the external registry we use for ISAM principals. We have enabled enable-last-logon in both the ivmgrd and web reverse proxy configuration files.
Our business case is that the business would like to find dormant users and since we dont have this attribute working with the AAC its difficult to give them accurate information.
The issue is that it is not updated when we are using a infomap authentication mechanism but works with the web reverse proxy pkmslogin authentication. Have any other of you in the forum had similar issues with this?
Thanks in advance.
------------------------------
Best regards
Magnus
------------------------------