8.2 Using the LoginInfo Command
With NMAS 3.2 or later, you can turn off automatic updating of certain user object login attributes by using the LoginInfo <numb> command. You might want to do this manually if automatically updating attributes causes problems. The following sections further explain this functionality:
8.2.1 NMAS Login for LDAP Bind
In order to make your passwords case-sensitive, you must enable the NMAS login for LDAP Bind. For information on how to do this, see the How to Make Your Password Case-Sensitive
section section in the Novell eDirectory 8.8 SP7 What’s New Guide.
When the NMAS login is enabled for LDAP Bind, eDirectory automatically updates user object login attributes after the user has authenticated. The following is a non-exhaustive list of login attributes that are updated:
-
Login Time
-
Network Address
-
Last Login Time
8.2.2 Problems Caused by Automatically Updating User Object Login Attributes
The automatic updating of user object login attributes can lead to the following problems:
-
High utilization
-
Unresponsiveness
-
Client time-outs seen on busy authentication servers, especially in LDAP environments
If you are experiencing these problems, you might want to regulate when the login attributes are updated. For information on how to do this, see Section 8.2.3, Using the LoginInfo Command to Control LoginInfo Attributes When Attributes are Updated.
8.2.3 Using the LoginInfo Command to Control LoginInfo Attributes When Attributes are Updated
To control when login attributes are updated, execute the nmas LoginInfo <num> command.
The value for <num> is as follows:
-
0 or off: Do not update any login attributes.
-
1: Only update attributes that are required by intruder detection.
-
2: Update all login attributes except unused user password policy attributes.
-
3 or on: Update all login attributes.
For information on how to invoke the LoginInfo command for each NMAS Server platform, see Section 8.4, Invoking NMAS Commands.
8.2.4 Using the sasUpdateLoginInfo and sasUpdateLoginTimeInterval Attribute
The sasUpdateLoginInfo attribute controls the updates of LoginInfo attributes.
The sasUpdateLoginTimeInterval attribute controls the update of the Login Time attribute of a user for a specified interval.
IMPORTANT: The Update Login Time Interval feature is available with eDirectory 8.8 SP7 Patch 3 and later. To enable this feature, a new attribute, sasUpdateLoginTimeInterval, is added to the NMAS schema. To use this feature with eDirectory 8.8 SP7 Patch 3, you must extend the nmas.sch file from the eDirectory schema. For more information, see Manually Extending the Schema in the Novell eDirectory 8.8 SP7 Administration Guide.
The sasUpdateLoginInfo attribute can have the following values:
-
0 or off: Do not update any login attributes.
-
1: Only update attributes that are required by intruder detection.
-
2: Update all login attributes except unused user password policy attributes.
-
3 or on: Update all login attributes.
The sasUpdateLoginTimeInterval attribute can have values from 0 to 1440 minutes (that is, one day).
-
If the value is 0, the Login Time and Last Login Time attributes are updated for every successful login.
-
If the value is between 1 and 1440 minutes, the Login Time attribute is updated after the specified interval. The Last Login Time attribute will not be updated.
NOTE:The Login Time attribute is not updated on consecutive successful logins during the interval. However, if there is a login failure during the interval followed by successful login, the Login Time attribute will be updated. The interval time from the successful login is counted.
The sasUpdateLoginTimeInterval attribute is effective only if the sasUpdateLoginInfo attribute value is set to 2 or 3.
The attributes can be specified for the following objects in the order of precedence (user having the highest precedence).
-
User
-
Container of the user
-
Partition root
-
Login Policy
If the sasUpdateLoginInfo and sasUpdateLoginTimeInterval are set on the Login Policy object, the setting becomes effective after the next policy refresh cycle. If the attributes are not set for the user, container, partition root, or Login Policy, the value set on a server using command line is used to maintain backward compatibility.
Following is an example to set the attribute values on the eDirectory server:
#cat nmas.config (The nmas.config file must be in the same directory as the dib directory.) nmas LoginInfo 2 nmas UpdateLoginTimeInterval 30
To set attributes value at the partition root:
-
To add the attributes to the Tree, go to > > >
-
Use the arrow to move the required attribute from list to list.
To set the values of the attribute at partition root, run the ldapmodify command and the following commands at the command line or using an ldif file:
dn:T=< tree name> changetype:modify add:sasUpdateLoginTimeInterval sasUpdateLoginTimeInterval:35 dn:T=< tree name> changetype:modify add:sasUpdateLoginInfo sasUpdateLoginInfo: 2
You can edit the sasUpdateLoginInfo or sasUpdateLoginTimeInterval attribute values for user, container, and Login Policy objects using iManager or an ldif file.
Example:
#cat changesasUpdateLoginInfo.ldif dn: cn=user1,o=org change type: modify replace: sasUpdateLoginInfo sasUpdateLoginInfo: 1 #cat changesasUpdateLoginTimeInterval.ldif dn: cn=user1,o=org changetype: modify replace: sasUpdateLoginTimeInterval sasUpdateLoginTimeInterval: 60
The setting disables the update of Login Time attribute of user1 for 60 minutes from the previous update of the attribute.
To specify the sasUpdateLoginInfo and sasUpdateLoginTimeInterval attributes from iManager:
-
In Novell iManager, click the button
-
Click > .
-
Specify the name and context of a container or login policy object, then click .
-
On the tab, select and then select from list.
-
Use the arrow button to move from list to the list, then click .