Commits (2)
......@@ -23,8 +23,9 @@
* last successful bind operation in a directory entry.
*
* Optimization: to avoid performing a write on each bind,
* a precision for this timestamp may be configured, causing it to
* only be updated if it is older than a given number of seconds.
* a precision for this timestamp may be configured on the database,
* causing it to only be updated if it is older than a given number
* of seconds.
*/
#ifdef SLAPD_OVER_LASTBIND
......@@ -40,8 +41,6 @@
/* Per-instance configuration information */
typedef struct lastbind_info {
/* precision to update timestamp in authTimestamp attribute */
int timestamp_precision;
int forward_updates; /* use frontend for authTimestamp updates */
} lastbind_info;
......@@ -68,14 +67,6 @@ static struct schema_info {
/* configuration attribute and objectclass */
static ConfigTable lastbindcfg[] = {
{ "lastbind-precision", "seconds", 2, 2, 0,
ARG_INT|ARG_OFFSET,
(void *)offsetof(lastbind_info, timestamp_precision),
"( OLcfgCtAt:5.1 "
"NAME 'olcLastBindPrecision' "
"DESC 'Precision of authTimestamp attribute' "
"EQUALITY integerMatch "
"SYNTAX OMsInteger SINGLE-VALUE )", NULL, NULL },
{ "lastbind_forward_updates", "on|off", 1, 2, 0,
ARG_ON_OFF|ARG_OFFSET,
(void *)offsetof(lastbind_info,forward_updates),
......@@ -91,7 +82,7 @@ static ConfigOCs lastbindocs[] = {
"NAME 'olcLastBindConfig' "
"DESC 'Last Bind configuration' "
"SUP olcOverlayConfig "
"MAY ( olcLastBindPrecision $ olcLastBindForwardUpdates) )",
"MAY ( olcLastBindForwardUpdates) )",
Cft_Overlay, lastbindcfg, NULL, NULL },
{ NULL, 0, NULL }
};
......@@ -148,7 +139,7 @@ lastbind_bind_response( Operation *op, SlapReply *rs )
if (bindtime != (time_t)-1) {
/* if the recorded bind time is within our precision, we're done
* it doesn't need to be updated (save a write for nothing) */
if ((now - bindtime) < lbi->timestamp_precision) {
if ((now - bindtime) < op->o_bd->be_lastbind_precision) {
goto done;
}
}
......
......@@ -19,6 +19,11 @@ older than a given value, thus avoiding large numbers of write
operations penalizing performance.
One sample use for this overlay would be to detect unused accounts.
Now that OpenLDAP has native support for most of this functionality,
storing the value in pwdLastSuccess to better interact with the Behera
Password Policy draft 10. Unless you require lastbind_forward_updates,
you should consider using that instead.
.SH CONFIGURATION
The config directives that are specific to the
.B lastbind
......@@ -98,6 +103,11 @@ default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd (8).
.LP
IETF LDAP password policy proposal by P. Behera, L. Poitou and J.
Sermersheim: documented in IETF document
"draft-behera-ldap-password-policy-10.txt".
The
.BR slapo-lastbind (5)
overlay supports dynamic configuration via
......