IBM Security Verify

 View Only
Expand all | Collapse all

Account last login and disabling inactive accounts with basic user mode

  • 1.  Account last login and disabling inactive accounts with basic user mode

    InnerCircle
    Posted Fri June 17, 2022 08:35 AM
    Edited by Matt Jenkins Fri June 17, 2022 08:37 AM
    When basic user mode is enabled (on-prem ISVA v10.0.3.1+), how does the last login and password change dates get stored, or do they, for basic users?

    Relevant information on subject:
    • https://www.ibm.com/docs/en/sva/9.0.2?topic=stanza-enable-last-login
    • https://philipnye.com/2016/05/24/commonly-overlooked-isam-settings-for-production-deployments/
    • https://www.iamteam.com/post/2014/01/15/enabling-last-login-and-last-password-change-for-tivoli-access-manager-users#:~:text=Login%20to%20WebSeal%20Server%20as,Save%20the%20file

    Also, on a somewhat related side note, as far as disabling accounts where the last login is past a certain number of days, I assume using an EAI/InfoMap or AAC MFA is still the best way to do this?  Or have a side process to query all the users nightly and mark them as account-valid false?

    Thanks all!

    Edit:  I may have answered my own question with regards to how this is stored on basic user mode (it seems it is not), but wondering how then this is achievable with basic users?  I assume we'd have to do this using an InfoMap that could make an LDAPmodify call?

    Phil mentions on his site
    "(Note: this only applies to ISAM users – not basic/lite users, since these are attributes that are stored in the secAuthority suffix.)"


    ------------------------------
    Matt Jenkins
    ------------------------------


  • 2.  RE: Account last login and disabling inactive accounts with basic user mode

    Posted Sat June 18, 2022 10:19 PM
    Correct - this is not managed by ISAM for basic users. The attributes required for ISAM to manage those capability are stored in the secUser schema which only applies to "full" users. Basically, you have to manage those extended account management capabilities on your own with basic users - which is typically a part of the account lifecycle management of the directory in which they live.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------