[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: auditing failed login attempts



--On Tuesday, September 17, 2013 5:25 PM -0700 "Paul B. Henson" <henson@acm.org> wrote:

Our security group is hassling us because we don't currently provide them
an audit log of failed login attempts on our LDAP servers. For most of our
other systems, we simply provide them a syslog feed with this information.
However, openldap doesn't appear to have a logging level that provides
detail about login attempts on a single line, but rather across many lines
that would need to be correlated. It seems more like connection debugging
logging as opposed to authentication logging.

It looks like we might need to set up an accesslog overlay to log all of
the attempted binds and then have a separate process that runs through
that and generates the syslog feed to our ISO group's central logging
server? That's a bit more overhead than I would like.

Are there any other simpler ways of generating failed login logs?

slapo-auditlog?
slapo-accesslog?

Don't know if you use it, but your security team may like you to use ppolicy:
<http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html>

--Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra Software, LLC
--------------------
Zimbra ::  the leader in open source messaging and collaboration