Cool Tool: lastlogin – Generate Report Based on Last Login Time This is a great script, many thanks to Don for his sterling efforts.
I have a client whose requirement (set by the pesky auditors!) is to automatically expire any account that hasn’t been used in the last 30 days, so I amended the script to allow this type of functionality:
# Modified to take into account whether the account is enabled or disabled
# This is specified by the attribute ‘logindisabled’ and is either TRUE or FALSE
# The -e parameter has been defined so you can filter on only enabled accounts
# The report has also been modified to detail the logindisabled state
# The original ‘delfile.ldif’ has been modified to an ‘expfile.ldif’ – this
# contains the ldap modify statements required to change the logindisabled state
# N.B. To reset the TRUE/FALSE field via ldap you seem to need to ‘delete’ the
# existing attribute and then add back the required state
# Additionally, you need the “-” line between the delete and add….
Example of the ice command required to import the generated file:
ice -l <icelog> -S LDIF -c -f expfile.ldif \ -D LDAP -s <server> -p<port> -d <admindn> -w <adminpw>
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.