Configure LastBind

Learn how to configure LastBind effectively and efficiently, enabling you to optimize its performance for your specific needs.

Updated at July 30th, 2024

+ More

Table of Contents

Configuring lastbind lastbind-precision lastbind_forward_updates Configuration in slapd.conf Configuring with cn=config Manually modifying authTimestamp

Date: 07-24-2024

Why memorize the date of last authentication? Could this overlay be used to verify employees are actually connecting to the system and working? Sure, but real benefit (and practical purpose) is to identify accounts that are obsolete or have not been used to authenticate for several months.

Configuring lastbind

The lastbind overlay has two optional settings:

`lastbind-precision <seconds>`

The value is the number of seconds after which to update the authTimestamp attribute in an entry. If the existing value of authTimestamp is less than old, it will not be changed. If this configuration option is omitted, the authTimestamp attribute is updated on each successful bind operation.

This setting is important in replicated environments. Every time the authTimestamp attribute is updated it must be replicated to all other nodes in an LDAP environment. In extremely busy environments, updating too frequently can cause replication delays.

`lastbind_forward_updates`

Specify that updates of the authTimestamp attribute on a consumer should be forwarded to a provider instead of being written directly into the consumer's local database. This setting is only useful on a replication consumer, and also requires the updateref setting in the database configuration and the chain overlay to be appropriately configured.

For more information on the chain overlay, see: slapo-chain(5)

Configuration in slapd.conf

Add the following to the Modules portion of the global section of slapd.conf:

moduleload    lastbind.la

On consumers, configure the chain overlay after the moduleload section to forward updates to a provider:

moduleload back_ldap.la

overlay chain
chain-uri "ldaps://some-provider.example.com"
chain-tls ldaps
       tls_cacertdir="/opt/symas/ssl/ca/cacert.pem"
       tls_reqcert=demand
chain-network-timeout 30
chain-timeout 30
chain-keepalive 180:30:60
chain-idassert-bind mode=self
       bindmethod=simple
       binddn="dc=example,dc=com"
       credentials="secret"
       starttls=no
       tls_cacertdir="/opt/symas/ssl/ca/cacert.pem"
       tls_reqcert=demand
       network-timeout=5
       timeout=5
       keepalive=180:30:60
chain-return-error      TRUE

On consumers, add the updateref setting after the syncrepl setting:

updateref ldaps://some-provider.example.com

Add the following to the overlays section for the MDB database section of slapd.conf:

overlay lastbind
lastbind-precision 60
    
# Only set the following on consumers:
lastbind_forward_updates

Restart slapd:

systemctl restart slapd

Configuring with cn=config

Create an ldif named add-module.ldif and apply the change with ldapmodify:

dn: cn=module{0},cn=config 
changetype: modify
add: olcModuleload
olcModuleLoad: lastbind.la

ldapmodify -x -H ldap://<server-name> -D cn=config -W -f add-module.ldif

On consumers, create an ldif file with the name ‘add-chain.ldif’ and the following content and apply the change with ldapadd:

dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
olcChainCacheURI: FALSE
olcChainReturnError: TRUE

dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
olcDbStartTLS: none  starttls=no
olcDbOnErr: continue

dn: olcDatabase={1}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {1}ldap
olcDbURI: "ldaps://provider.example.com"
olcDbStartTLS: ldaps  starttls=no tls_cacertdir="/opt/symas/ssl/ca/cacert.pem" tls_reqcert=demand tls_reqsan=allow tls_crlcheck=none
olcDbIDAssertBind: mode=self bindmethod=simple timeout=5 network-timeout=5 binddn="dc=example,dc=com" credentials="secret" keepalive=180:30:60 starttls=no tls_cacertdir="/opt/symas/ssl/
olcDbNetworkTimeout: 30s
olcDbKeepalive: 180:30:60

ldapadd -x -H ldap://<consumer-name> -D cn=config -W -f add-chain.ldif

Create the following ldif with the name add-updateref.ldif and apply the change to the consumers with ldapmodify:

olcDatabase={1}mdb,cn=config
changetype: modify
add: olcUpdateRef
olcUpdateRef: ldaps://provider.example.com

ldapmodify -x -H ldap://<consumer-name> -D cn=config -W -f add-updateref.ldif

Create an ldif file named add-lastbind.ldif and apply the change with ldapadd:

dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config 
objectClass: olcLastBindConfig 
objectClass: olcOverlayConfig 
objectClass: top
olcOverlay: lastbind
olcLastBindPrecision: 60
# Only set the following on consumers
olcLastBindForwardUpdates: TRUE

ldapadd -x -H ldap://<server-name> -D cn=config -W -f add-lastbind.ldif

Manually modifying authTimestamp

The authTimestamp attribute is an operational attribute and it is not possible to change or add it to entries that already exist. Well, nothing is impossible. OpenLDAP implemented relax control, which allows admins to perform administrative operations on the data such as changing operational attributes.

Create an ldif named modify-timestamp.ldif and apply the change with ldapmodify:

dn: uid=Coudot,ou=users,dc=example,dc=com
changetype: modify
replace: authtimestamp
authtimestamp: 20120511144318Z

ldapmodify -x -H ldap://<producer FQDN> -D dc=example,dc=com -W -e !relax -f modify-timestamp.ldif

lastbind set up