[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: logging failed binds



Erik Romjin writes:
> I'm running OpenLDAP 2.2.23 for user authentication.  As I would like
> to see bruteforce attempts for user passwords I would like OpenLDAP to
> log all failed binds (preferably without the entered, incorrect,
> password).

OpenLDAP does syslog that, when loglevel 256 or better is used.  (I
don't remember if this is new since 2.2.23 but I'm pretty sure it is
not.)  This loglevel logs most requests and responses.  Some erroneous
cases are not logged, like many protocol errors - including binds with
unsupported critical controls.

On the other hand, StartTLS requests were not logged before OpenLDAP
2.3.6.  Since you hopefully do not allow Simple Bind with password at
all over unprotected connections, then maybe that is what you were
missing - a log of failed attempts to establish TLS/SSL, after which the
connections were closed.

Anyway, put "loglevel 256" in slapd.conf (though I think that's the
default) and something like this in /etc/syslog.conf:
  local4.* /filename/for/ldap/logs
so syslog will log what slapd sends.  You may also need to set up
logrotate in cron so the ldap logs get rotated and deleted.

-- 
Hallvard