List users with last autentication datetime

Tomas · March 4, 2026, 6:00am

Hi everyone,
thank you for the great product that I can freely use.

I would need a list of users who have not authenticated for a certain period of time. I tried the command:

privacyidea-token-janitor find --last_auth 100d --action listuser

but the output format doesn’t fully suit my needs. I need last datetime of autentication and other attributes like UPN or email of the users for sending notification.

Then I tried adding the following event:

event: "auth"
handler: "CustomUserAttributes"
condition: "result_authentication=ACCEPT"
action:
    set_custom_user_attributes
        attrkey: last_used_token_datetime
        attrvalue: {now} or {date} {time}

but the attribute values were always static.

Is it possible to get a list of users (ldapresolver) with their last authentication time and other attributes directly from the database, for example via SQL?

Thank you.
T.

cornelinux · March 7, 2026, 10:53pm

You can use the new token janitor pi-tokenjanitor to find tokens,

that have been last used before a certain date like April 1st
and list the user attribute “email”.

    pi-tokenjanitor find --tokeninfo "last_auth<2026-04-01" list -u email

However, it might make more sense to write your own script, since it gives you maximum flexibility.
You can see scripts, that use the privacyidea libraries here: