[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Patch to log failed simple binds (ITS#1809)
The syslog feature itself is system-dependent, so your patch needs to be
conditionalized. Surrounding it with #ifdef LDAP_SYSLOG might be a good
start.
Also, the Debug macro currently invokes syslog automatically if so
configured,
so your patch may be better as a Debug invocation. (But in that case, you
can't control the syslog level directly so that may not be the best approach
after all.) The NEW_LOGGING facility provides more control, but is not yet
ready for prime time...
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of jpdalbec@ysu.edu
> Sent: Wednesday, May 08, 2002 6:26 AM
> To: openldap-its@OpenLDAP.org
> Subject: Patch to log failed simple binds (ITS#1809)
>
>
> Full_Name: John Dalbec
> Version: 2.0.21
> OS: Red Hat Linux 7.1
> URL: ftp://ftp.openldap.org/incoming/John-Dalbec-020508.patch
> Submission from: (NULL) (150.134.8.36)
>
>
> OpenLDAP does not provide logging of failed LDAP binds.
> This makes it possible for an attacker to brute-force LDAP
> passwords without
> alerting the system administrator.
> I propose the following patch (against CVS) to log failed simple
> LDAP binds.
> (I'm not sure how to log failed SASL binds. Or does that happen already?)
> I'm not sure of the best loglevel to use for this. I've selected
> LOG_WARNING
> but you may prefer another choice. I built the message content from the
> Statslog
> message for a successful bind, adding the peername to avoid
> having to log all
> connections in order to be able to trace them back to an IP.
> Constructive feedback appreciated, thanks.