[Date Prev][Date Next] [Chronological] [Thread] [Top]

Patch to log failed simple binds (ITS#1809)

To: openldap-its@OpenLDAP.org
Subject: Patch to log failed simple binds (ITS#1809)
From: jpdalbec@ysu.edu
Date: Wed, 8 May 2002 13:25:53 GMT

Full_Name: John Dalbec
Version: 2.0.21
OS: Red Hat Linux 7.1
URL: ftp://ftp.openldap.org/incoming/John-Dalbec-020508.patch
Submission from: (NULL) (150.134.8.36)


OpenLDAP does not provide logging of failed LDAP binds.
This makes it possible for an attacker to brute-force LDAP passwords without
alerting the system administrator.
I propose the following patch (against CVS) to log failed simple LDAP binds. 
(I'm not sure how to log failed SASL binds.  Or does that happen already?)
I'm not sure of the best loglevel to use for this.  I've selected LOG_WARNING
but you may prefer another choice.  I built the message content from the
Statslog
message for a successful bind, adding the peername to avoid having to log all
connections in order to be able to trace them back to an IP.
Constructive feedback appreciated, thanks.

Prev by Date: format string exploit in OpenLDAP server (ITS#1813)
Next by Date: Re: Non-unique msgid for abandon in back-<shell,tcl> (ITS#1793)
Index(es):
- Chronological
- Thread