Activating the lastbind overlay module

Problem

With UCS version 4.4-3 errata 499 the lastbind overlay for LDAP (see http://manpages.ubuntu.com/manpages/xenial/man5/slapo-lastbind.5.html) can be easily activated and configured via the ldap/overlay/lastbind and ldap/overlay/lastbind/precision UCR variables and a restart of the OpenLDAP server.
When the lastbind overlay is activated, the timestamp of a successful LDAP bind is recorded in the authTimestamp attribute.

The authTimestamp attribute is excluded from the LDAP replication from UCS version 4.4-3 errata 499 onwards. That means that all servers in the domain need to be of UCS version 4.4-3 errata 499 or higher. Read the solution and important sections in this article before activating this feature.

Solution: Activating the lastbind overlay

Before activating the lastbind overlay on any UCS LDAP server (this includes UCS master, backup and slave systems), all servers have to be upgraded to at least UCS version 4.4-3 errata 499.

Solution: Adding new UCS backup and slave servers

If the lastbind overlay is activated on any UCS LDAP server in the domain (this includes UCS master, backup and slave systems), then new UCS backup and slave systems, with a version less than UCS version 4.4-4 have to be installed without a subsequent automatic join. After the new system is upgraded to at least UCS version 4.4-3 errata 499 the join can be performed with univention-join.

Important:

Once the lastbind overlay module is activated it shouldn’t be deactivated again.
The lastbind overlay module will add an LDAP schema definition for the authTimestamp attribute it writes to LDAP entries. If the lastbind overlay module is now no longer activated and an LDAP entry with an authTimestamp attribute value is modified, the LDAP replication will cause an error because it does not know that attribute, which results in a failed.ldif file

Further documentation: