Is there way to tell either in ldap or otherwise when the last time a Zimbra account successfully logged in?
Thanks,
Chris
Printable View
Is there way to tell either in ldap or otherwise when the last time a Zimbra account successfully logged in?
Thanks,
Chris
The server will update the user's zimbraLastLogonTimestamp user attribute at most once every zimbraLastLogonTimestampFrequency (set in global config).
I can do this at the command line on a one by one. Is there a CLI for by domain or all users LastLogon?
We like to run this once per month to verify employee lists.
Not sure if this helps, but all logins are logged into /opt/zimbra/log/audit.log
You might want to run a diff command from month to month to see who's logging in and who isn't.
jh
It does help. I was concerned that I would not get 100% accurate results with zimbraLastLogonTimestamp and was not real interested in setting zimbraLastLogonTimestampFrequency to daily.
Maybe we will just mod our perl script from maillog to audit.log
The 'zmaccts' command will produce a report of all the accounts, their status, when they were created, and the last time they were logged in to.Quote:
Originally Posted by bowergo
Jim...
Is there a script or command I can execute in order to ensure that the zimbraLastLogonTimestamp is updated (manually) right before my maintenance script runs?Quote:
Originally Posted by dkarp
Some more questions:Quote:
Originally Posted by dkarp
- You mention that this value is stored in global config, which means it is the same for all accounts. Does that also mean that every account's zimbraLastLogonTimestamp is updated at the same time (e.g. sat night). Or is it something like "every x days starting at account creation", meaning an individual update date/time for each account? The reason I ask is that my account still shows 10-30-07 21:05 while other users' accounts already show today's date and time.
- Does zimbraLastLogonTimestamp mean a webclient logon or also Thunderbird/Outlook POP/IMAP access? I guess that also TB/Outlook logons are used, because that might be the reason why the zimbraLastLogonTimestamp is not updated after each logon (e.g. pop access every 1 minute or so).
- What happens if I select an account in the admin interface and click "View Mail"? Does that also count as a Logon? In my opinion it shouldn't modify the zimbraLastLogonTimestamp...
Thanks for the clarification.
Tom
Did you get the answers? I am wonderring if the LastLoginTimestamp only means web client(soap).Quote:
Originally Posted by CrypTom
There is a database entry for LAST_SOAP_ACCESS (getLastSoapAccessTime) in ZIMBRA.MAILBOX - not ported to a LDAP value because that would be nuts. The 'last SOAP activity time' is the time in milliseconds of the last write operation on the mailbox by the mailbox's owner; this is maintained in the session and written at the time of the session's first write and the session's expiry.
Your /opt/zimbra/log/audit.log is continuous anyways so you can always check that. (I port to a nice log index program called Splunk.)
Ok, so the zimbraLastLogonTimestampFrequency default is 7d to cutdown on ldap writes every time you auth... The value isn't new to 5.0.x, just now displayed in the admin console. The server will update the user's zimbraLastLogonTimestamp user attribute at most once every zimbraLastLogonTimestampFrequency.
It's your call - you can set it to values like: 1d, 1h, 1m, 1s, or 0 for disabled.
Think of the pure volume of some systems, updating an attribute for a million+ active users all day long makes for a lot of writes and replication. Prompted implementation of: Bug 18972 - provide way to completely disable zimbraLastLogonTimestamp (setting to 0).Quote:
zmprov mcf zimbraLastLogonTimestampFrequency 3d
For some, 7 days on zimbraLastLogonTimestampFrequency does seem a little high though given the average installation size and faster systems. To that end, someone had an bugzilla entry in to get the default changed from 7d > 3d but I don't know what happened to it. If you have the time/ability for a large scale performance test go for it :p
(Don't know what you're running at Stanford but btw Bug 24012 - "Last logged in" not updating when using external LDAP was fixed for 5.0.3)