On Thu, 2018-08-16 at 11:11 -0400, Harvey, Robert wrote: > > Is it possible to turn on recording of users Last Login times in > selected OUs without turning on alwaysRecordLogin in > cn=config,cn=Account Policy Plugin,cn=plugins,cn=config? I think there is a way to provide a password policy to only a single OU, but I can not remember if this includes the alwaysRecordLogin or not. I suspect that it does not because acct policy is a plugin and pwpolicy is core server .... > > > I'm using ds389 to service SSSD Centos and RHEL (6 and 7) clients and > some some Solaris 10 and 11 clients. > > Currently with about client 80 systems. With 10 masters and with > alwaysrecordlogin set to ON, with 2 replication agreements outbound > from each of the ds389 servers, the replication could barely keep up > and sometime has to wait for 10 minutes of more to be able access a > replication destination. > > There was far too many updates for the replication to handle just > from these few client systems last login times. Each ds389 server is > bare metal install on X4-2 server running Centos 7. > > I need to track the user's (humans) last log in times. I do not need > (and I don't see that it is possible) to track the last login times > of all the machine accounts. I had turn off the alwaysRecordLogin. It's tricky to know if this is a bug. LDAP is not a "write focused" system, and having a write after every bind, is going to really cause a lot of replication as you indicate. And as effecient as our replication is, reality is large writes still take time. It could be possible to change the alwaysRecordLogin to be async and to do batch writes outside of the normal bind path, which would probbaly at least speed up the bind/search paths, but I'm not sure it would help in the replication. I'd need to think about it. At the least, Ithink we need better solutions around recording logins for audits, because this isn't the first time weve seen this issue come up. This is especially true for read-only replicas and how they feed back login events (or failures) Would it be possible for you to open an issue for this so we can look into it? > > Thanks, > Bob Harvey > > > > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to > 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx/message/YGEHYZTQ4KAEHEMNLKEM224CS7KGUU2W/ -- Sincerely, William _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx/message/C3KSKQWI52ZVINO3JYOEGKSF7K5FXVB5/