"Last Login Time" is always "unknown" for LDAP Users - but working for local Users
Hi,
i'm new to the community and just want to know, if thats just my problem or if it is a general problem and how to fix that.
I just stumbled accross the policy "Disable Account Last Login Exceeded" and wondering, if i can use these rule for my ldap accounts to clean my accounts a bit. But the first problem here: i can't see any "last login time"... these field (beside last login IP, Password Last Changed, CreationDate) is always "unknown".. i assume, these fields should come from the LDAP-Directory? What, if i only wanna know, when these user has last logged in through cerberus?
-
Hello Daniel,
Those policy settings will only apply to Cerberus native accounts, so your LDAP and AD users won't be affected by them. You can read a bit more about policy items here: Policy Settings. In version 12.2, we did add functionality to include LDAP & AD users in login reports that can be utilized by Enterprise users. That article can be found here: https://www.cerberusftp.com/blog/multiple-groups-and-ad-and-ldap-account-reports/
0 -
Hi Connor,
thanks for your quick reply. I feared that answer since i already found the notice "only for native accounts". I have about 184 LDAP Accounts with granted access to cerberus without really knowing the last access. The Login Report (apart from this i just activated logging :-D and do not have history data yet) is only of limited use in my case because with these report i have to fiddle out every single account existing and looking manually in the login report for the last login (maybe i can automate this a bit using a CSV-Export and a complicated excel transformation sheet). The goal is to disable all unused account after a period of time - same as cerberus already provide for native accounts.
Is there a technical limitation, why not also storing last succesfull login for LDAP or AD Account? I mean, there already has to be a cerberus-database for storing other properties for these accounts (like Group, Constraints, Directory Access).Maybe there is another idea, how i can achieve these..
Best and thanks,
Daniel0 -
Hello Daniel,
My suggestion would be to try and run an 'Account Report' for the details you are looking for. As long as Cerberus is up to date (past 12.2), it should return AD and LDAP last logins, if Cerberus can find one. There are more details in that article I had sent over previously.
0 -
Hi Connor,
thanks for your reply...
That's the point... Even in the 'Account Report' all of these columns are empty for all of my LDAP users. We are using Cerberus 13.0.2.0. Is Cerberus relying on LDAP fields to show here or will cerberus store these properties by its own for the accounts?D
0 -
Hello Daniel,
In regards the Account Report, when running against LDAP authentication sources, the Last Login, Last Login IP and Password Changed columns all represent the last time a directory user logged in or changed their password anywhere using that account, not just applications using Cerberus. That information is coming from LDAP, and is not stored within the application.
0
Please sign in to leave a comment.
Comments
5 comments