SLAPO-LASTBIND(5) File Formats Manual SLAPO-LASTBIND(5)
NAME
slapo-lastbind - lastbind overlay to slapd
SYNOPSIS
ETCDIR/slapd.conf
DESCRIPTION
The lastbind overlay to slapd(8) allows recording the timestamp of the
last successful bind to entries in the directory, in the authTimestamp
attribute. The overlay can be configured to update this timestamp only
if it is older than a given value, thus avoiding large numbers of write
operations penalizing performance. One sample use for this overlay
would be to detect unused accounts.
Now that OpenLDAP has native support for most of this functionality,
storing the value in pwdLastSuccess to better interact with the Behera
Password Policy draft 10. Unless you require lastbind_forward_updates,
you should consider using that instead.
CONFIGURATION
The config directives that are specific to the lastbind overlay must be
prefixed by lastbind-, to avoid potential conflicts with directives spe-
cific to the underlying database or to other stacked overlays.
overlay lastbind
This directive adds the lastbind overlay to the current database,
see slapd.conf(5) for details.
This slapd.conf configuration option is defined for the lastbind over-
lay. It must appear after the overlay directive:
lastbind-precision <seconds>
The value <seconds> is the number of seconds after which to up-
date the authTimestamp attribute in an entry. If the existing
value of authTimestamp is less than <seconds> old, it will not be
changed. If this configuration option is omitted, the authTime-
stamp attribute is updated on each successful bind operation.
lastbind_forward_updates
Specify that updates of the authTimestamp attribute on a consumer
should be forwarded to a provider instead of being written di-
rectly into the consumer's local database. This setting is only
useful on a replication consumer, and also requires the updateref
setting and chain overlay to be appropriately configured.
EXAMPLE
This example configures the lastbind overlay to store authTimestamp in
all entries in a database, with a 1 week precision. Add the following
to slapd.conf(5):
database <database>
# ...
overlay lastbind
lastbind-precision 604800
slapd must also load lastbind.la, if compiled as a run-time module;
FILES
ETCDIR/slapd.conf
default slapd configuration file
SEE ALSO
slapd.conf(5), slapd(8).
IETF LDAP password policy proposal by P. Behera, L. Poitou and J. Ser-
mersheim: documented in IETF document "draft-behera-ldap-password-pol-
icy-10.txt".
The slapo-lastbind(5) overlay supports dynamic configuration via back-
config.
ACKNOWLEDGEMENTS
This module was written in 2009 by Jonathan Clarke. It is loosely de-
rived from the password policy overlay.
OpenLDAP LDVERSION RELEASEDATE SLAPO-LASTBIND(5)
Generated by dwww version 1.16 on Tue Dec 16 07:38:09 CET 2025.