LDAP: Last Logon Time and Last Logon IP Address

Using password policies, the UnboundID Directory Server can record the entry’s last logon time and last logon IP address from which a connection authenticated.

The password policy has ‘properties’ named:

  • last-login-time-attribute
  • last-login-time-format
  • last-login-ip-address-attribute

which specify the name of the attribute used to record the last authentication time, the format of the timestamp used for the last authentication time attribute, and IP address from which the last authentication occurred, respectively. For demonstration purposes, the DN uid=user.0,ou=People,dc=example,dc=com is used.

When not specified, the names (or types, if you prefer) of the attributes in the entry default to:

attribute name attribute purpose
ds-pwp-last-login-time The last time the entry authenticated
ds-pwp-last-login-ip-address The IP address from which the entry last authenticated

The ds-pwp-last-login-time and ds-pwp-last-login-ip-address attributes are Directory Strings, are single-valued, and are operational attributes (they must be requested by name, or use ‘+’ as an attribute name in the list of requested attributes).

Create a password policy

dsconfig create-password-policy \
  --policy-name "Demonstration Password Policy" \
  --set password-attribute:userpassword \
  --set "default-password-storage-scheme:Salted SHA-1" \
  --set force-change-on-add:true \
  --set force-change-on-reset:true \
  --set "password-generator:Random Password Generator" \
  --set last-login-ip-address-attribute:ds-pwp-last-login-ip-address \
  --set "last-login-time-format:yyyyMMddHHmmss.SSS'Z'" \
  --set password-history-count:5 \
  --set "password-history-duration:4 w 2 d"

Add a reference to the new password policy to a user’s entry:

ldapmodify -h localhost -p 1389 \
  -D 'cn=directory manager' -j ~/.pwdFile
dn: uid=user.0,ou=people,dc=example,dc=com
changetype: modify
add: ds-pwp-password-policy-dn
ds-pwp-password-policy-dn: cn=Demonstration Password Policy,cn=Password Policies,cn=config
# Processing MODIFY request for uid=user.0,ou=people,dc=example,dc=com
# MODIFY operation successful for DN uid=user.0,ou=people,dc=example,dc=com

Authenticate using ldapsearch:

ldapsearch -j ~/.pwdFile \
  -D 'uid=user.0,ou=people,dc=example,dc=com' \
  -h localhost -p 1389 \
  -b 'uid=user.0,ou=people,dc=example,dc=com' \
  -s base '(&)' 1.1

After authenticating using ldapsearch, retrieve the ds-pwp-last-login-time and ds-pwp-last-login-ip-address attributes from the entry:

ldapsearch -j ~/.pwdFile \
  -D 'cn=directory manager' -h localhost -p 1389 \
  -b 'uid=user.0,ou=people,dc=example,dc=com' \
  -s base '(&)' \
  ds-pwp-last-login-time ds-pwp-last-login-ip-address
dn: uid=user.0, ou=People, dc=example, dc=com
ds-pwp-last-login-time: 20111106230306Z

Note: ensure that load-balancers pass the original source IP address to the directory servers.

All Entries Are subject to a password policy

Entries can have an attribute 'ds-pwp-password-policy-dn' which specifies a policy to use for that entry. If no such attribute is found in the entry, the default password policy is used for the entry. In this way, all entries in the directory server database are subject to a password policy – a critical factor in many modern security audits.

Secure Password Policy

The 3.2 version of the directory server has a Secure password Policy which is extremely paranoid. This Secure Password Policy is not the default, but it can be made the default password policy or used as a template for new password policies that are customized to the organization’s specific requirements.


  • 06-Nov-2011: Added examples of creating password policy and assigning it to a user’s entry.

About Terry Gardner

Terry Gardner was a leading directory services architect with experience with many large scale directory services installations and messaging server installations, and was a Subject Matter Expert in the field of Directory Services and Solaris (operating system) performance. Mr. Gardner also participated in the open-source software community. Mr. Gardner passed away in December, 2013.
This entry was posted in computing, LDAP and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s