[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Patch to log failed simple binds (ITS#1809)

The syslog feature itself is system-dependent, so your patch needs to be
conditionalized. Surrounding it with #ifdef LDAP_SYSLOG might be a good
Also, the Debug macro currently invokes syslog automatically if so
so your patch may be better as a Debug invocation. (But in that case, you
can't control the syslog level directly so that may not be the best approach
after all.) The NEW_LOGGING facility provides more control, but is not yet
ready for prime time...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of jpdalbec@ysu.edu
> Sent: Wednesday, May 08, 2002 6:26 AM
> To: openldap-its@OpenLDAP.org
> Subject: Patch to log failed simple binds (ITS#1809)
> Full_Name: John Dalbec
> Version: 2.0.21
> OS: Red Hat Linux 7.1
> URL: ftp://ftp.openldap.org/incoming/John-Dalbec-020508.patch
> Submission from: (NULL) (
> OpenLDAP does not provide logging of failed LDAP binds.
> This makes it possible for an attacker to brute-force LDAP
> passwords without
> alerting the system administrator.
> I propose the following patch (against CVS) to log failed simple
> LDAP binds.
> (I'm not sure how to log failed SASL binds.  Or does that happen already?)
> I'm not sure of the best loglevel to use for this.  I've selected
> but you may prefer another choice.  I built the message content from the
> Statslog
> message for a successful bind, adding the peername to avoid
> having to log all
> connections in order to be able to trace them back to an IP.
> Constructive feedback appreciated, thanks.