Luckily, with Sun Directory Server 6 onwards, the feature is there with this new attribute pwdKeepLastAuthTime.
However, do note the following:
- pwdKeepLastAuthTime feature is not enabled by default
- Directory Server, by default, is in DS5-compatible-mode
- Directory Server has to be DS6-mode compatible, in order to enable pwdKeepLastAuthTime
- The server state can move only towards stricter compliance with the new password policy specifications. It implies "no way to rollback once you make the change".
Special Note:
Using this feature can affect performance. When you configure Directory Server to save pwdLastAuthTimetimestamps, the server must perform an internal modify operation for each successful bind.
Unless it is really a necessity, I do not recommend enabling this feature.
Do you have another recommendation?
ReplyDelete