Last login time with Glassfish and OpenDS - LDAP credentials cached?

I have configured Glassfish 3.0 to use an OpenDS 2.2 directory for user authentication using the ldap realm. User authentication works fine (I'm using a web application with form-login configured), however I have noticed the following behaviour and I can't understand what's causing it:

• my OpenDS server is configured to track user's last login time using attribute ds-pwp-last-login-time (as configured in the users' password policy); the first time a user logs in after Glassfish startup, the ds-pwp-last-login-time attribute is correctly set, however the attribute is not updated after every subsequent successful login
• after restarting Glassfish or disabling/enabling the web application I'm using, the attribute ds-pwp-last-login-time is again set correctly the first time a user logs in, but it is then never set again

I believe the possible causes of this are either:

• during first login after server/application re开发者_开发知识库start, a step is carried out by the server that causes the ds-pwp-last-login-time attribute to be updated, however this is not the case for subsequent logins
• Glassfish keeps a local cache of the users that have already authenticated to the server using the ldap realm

I've inspected the server log setting the security logger to FINEST and I found that during the first login for each single user, the following lines are outputed

....
[Web-Security] Policy Context ID was: MyApp/MyApp|#]
[Web-Security] Generating a protection domain for Permission check.|#]
[Web-Security] Checking with Principal : testuser|#]
[Web-Security] Checking with Principal : TestRole|#]
[Web-Security] Checking with Principal : dc=groups|#]
[Web-Security] Checking with Principal : dc=test|#]
[Web-Security] Checking with Principal : dc=com|#]
[Web-Security] Codesource with Web URL: file:/MyApp/MyApp|#]
...

Does anyone know how to configure Glassfish/OpenDS so that the ds-pwp-last-login-time attribute is correctly set after every successful login? Does anyone know what the section Generating a protection domain for Permission check shown in the server log is doing?

You may want to check in the OpenDS access log if there is a Bind request for each time the user logs in. If not, that means there is some caching in GlassFish. The other thing to look at is the ds-cfg-last-login-time-format attribute part of the Password Policy. The default is to capture the last login time with a Day of resolution. So the last-login-time only changes if the login occurs on the next day (usually defeating tests).

Ludo