Display user's last-login-time-attribute on ForgeRock 7.4

whateverhello7 · April 24, 2024, 7:16am

Hi, I installed Forgerock 7.4, and change default password policy by dsconfig

  10)  idle-lockout-interval                      0 s
    11)  last-login-time-attribute                  ds-pwp-last-login-time
    12)  last-login-time-format                     yyyyMMddHHmmss
    13)  lockout-duration                           0 s

But we cannot see user’s ds-pwp-last-login-time in my entry.

dn: uid=10000001,ou=users,dc=pthl,dc=hk
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: idmExt
objectClass: top
objectClass: organizationalPerson
objectClass: person
active: FALSE
cn:: 6auY6Imz
companyCode: CN01
department:: 5LqS5aSq57q657uH5Y2w5p+T6ZuG5Zui
departmentId: 300-00000001
displayName: aaaaaFef
employeeNumber: 10000001
gidNumber: 1000
givenName:: 5bC55oOg5p2l
givenName: AAAAAA11
givenName: whatever
givenName: 3333
......

Anything else that needs to be done ? Thanks.

whateverhello7 · April 24, 2024, 7:17am

There is no last-login-xxx attribute. Do I need to assign this policy to a group or user?

whateverhello7 · April 24, 2024, 7:34am

ldapsearch -x -h ds.example.com -p 19380 -D cn=Administrator -w'password' -b dc=example,dc=com pwdPolicySubentry -LLL
dn: dc=example,dc=com
pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config

guy.pensa · April 24, 2024, 1:02pm

The request for operational attributes from the DS using ldapsearch must be explicitly requested.
Following your ldap filter, include (space delimited) * +

Cheers.

whateverhello7 · April 25, 2024, 5:18am

ldapsearch -x -h ds.example.com -p 19381 -D cn=Administrator -w ’password’ -b uid=10000001,ou=users,dc=example,dc=com * + -LLL
dn: uid=10000001,ou=users,dc=example,dc=com
createTimestamp: 20240314074727Z
creatorsName: cn=Administrator
ds-sync-hist: etag:0110018f092ef539009fc202pacific-opendj-1:repl:383f6ae4-e11d
 -41a8-a3e0-5cc30a8f2320-158369
ds-sync-hist:: bzowMTEwMDE4ZjA0Mjc3Yjk4MDA5YmU0ODNwYWNpZmljLW9wZW5kai0xOnJlcGw
 6SUMtVEVTVOiZmuaLn+e7hOe7hw==
ds-sync-hist:: bzowMTEwMDE4ZjA0Mjc3Yjk4MDA5YmU0ODNwYWNpZmljLW9wZW5kai0xOmFkZDr
 kupLlpKrnurrnu4fljbDmn5Ppm4blm6I=
ds-sync-hist: ou:0110018f04277b98009be483pacific-opendj-1:repl:PACIFIC TEXTILE
 S LIMITED/Supporting Teams
ds-sync-hist:: b3U6MDExMDAxOGYwNDI3N2I5ODAwOWJlNDgzcGFjaWZpYy1vcGVuZGotMTphZGQ
 65LqS5aSq57q657uH5Y2w5p+T6ZuG5Zui
ds-sync-hist: modifyTimestamp:0110018f092ef539009fc202pacific-opendj-1:repl:20
 240423042023Z
ds-sync-hist: modifiersName:0110018f092ef539009fc202pacific-opendj-1:repl:cn=A
 dministrator
ds-sync-hist: departmentId:0110018f04277b98009be483pacific-opendj-1:repl:300-0
 0000001
ds-sync-hist:: ZGVwYXJ0bWVudDowMTEwMDE4ZjA0Mjc3Yjk4MDA5YmU0ODNwYWNpZmljLW9wZW5
 kai0xOnJlcGw65LqS5aSq57q657uH5Y2w5p+T6ZuG5Zui
ds-sync-hist: sn:0110018f04277b98009be483pacific-opendj-1:repl:10000001
ds-sync-hist:: Y246MDExMDAxOGYwOTJlZjUzOTAwOWZjMjAycGFjaWZpYy1vcGVuZGotMTpyZXB
 sOumrmOiJsw==
ds-sync-hist: active:0110018f04277b98009be483pacific-opendj-1:repl:FALSE
ds-sync-hist: pwdChangedTime:0110018f045f11af009c0fdepacific-opendj-1:repl:202
 40422055450.415Z
ds-sync-hist: gidNumber:0110018f04277b98009be483pacific-opendj-1:repl:1000
ds-sync-hist: userPassword:0110018f045f11af009c0fdepacific-opendj-1:repl:{PBKD
 F2-HMAC-SHA256}10:kbsInRY4odMTw2EU0YXgh6MSbCeHz3/RArC+CXSUvnOCrfp9d+81f9Uyz+e
 euW72
ds-sync-hist: userPassword:0110018f045f11af009c0fdepacific-opendj-1:add:{SSHA5
 12}EKyS0yjQuyVzvtRupggEyXgab2IHE8jg0xI7Kd7Gg6ye0yG5w4vKQS0Mzd5G/BhCythfVRDeKP
 6JwTmGhAfK6shoT+yjMZaxUd4M41RO4zc=
ds-sync-hist: l:0110018f04b49553009c5195pacific-opendj-1:attrDel
entryDN: uid=10000001,ou=users,dc=pthl,dc=hk
entryUUID: ed9abb5e-7ee6-4470-8ed9-077d663c96cb
etag: 383f6ae4-e11d-41a8-a3e0-5cc30a8f2320-158369
hasSubordinates: false
modifiersName: cn=Administrator
modifyTimestamp: 20240423042023Z
numSubordinates: 0
pwdChangedTime: 20240422055450.415Z
pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
structuralObjectClass: inetOrgPerson
subschemaSubentry: cn=schema

I used * +, but as you can see from the above output, last-login-time-attribute isn’t available.
pwdPolicySubentry shows and therefore suggests that this user has been assigned the default password policy already.

I setup these attributions already.

  11)  last-login-time-attribute                  ds-pwp-last-login-time
    12)  last-login-time-format                     yyyyMMddHHmmss

And login on and authenticate with that user.

guy.pensa · April 25, 2024, 11:44am

Good morning,

The evidence is not complete enough for me to prescribe a simple course of action to correct your situation.
This is a configuration issue. Kindly open a ticket. Feel free to mention me in the ticket.
Cheers.

whateverhello7 · April 26, 2024, 2:00am

We use the community edition. I’m afraid we’re not entitled to open a support ticket, right ?

whateverhello7 · April 26, 2024, 9:41am

Problem resolved, see OpenDJ: Which accounts are active? – Margin Notes 2.0.
Thanks.

guy.pensa · April 26, 2024, 2:27pm

Glad you’re sorted. Clearly a misconfiguration issue. Did you want to share what you missed?
Incidentally, happy you are please with community edition of the product. I only support those using the actual product and not the community edition, for lots of reasons.
FYI, I’m glad you dropped your logs from this thread.

Cheers.