[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Evidence of client information in openldap accesslog

Matheus Morais wrote:
I got your point Marco. Its a very interesting idea really, I was looking for
something like that too. I'm wondering if its possible with slapo-accesslog to
record the IP address from client who perform bind/unbind. If we can record
this then its possible to track the user login on the server.

Currently slapo-accesslog does not record such information. However, you can get the relevant information using the nssov module instead of pam_ldap/nss_ldap. In that case, on successful logins you can configure the loginStatus attribute to be generated, which records the hostname where the login occurred as well as the hostname of the user's client, among other things.

On Thu, Aug 12, 2010 at 1:02 PM, Marco Pizzoli <marco.pizzoli@gmail.com
<mailto:marco.pizzoli@gmail.com>> wrote:

    Hi Jonathan, thank's for the answer.
    You're right, but I'm trying to implement a report to my security
    management and so I'm implemementing a meta-directory on top of
    access-logs written by a cluster of 4-way multi-master OL instances.
    Having to go to retrieve logs splitted locally on 4 machines is not so

    What I'm searching for, if is it possibile, is a way to propagate the
    information of the client machine to the authentication directory.
    And, as a consequence, obtain that information by means of a simple LDAP
    search to the accesslog.
    If necessary, I can go to manipulate the config of client OS (nss_ldap on
    Linux and secldapclntd on AIX).

    Thanks again

    On Thu, Aug 12, 2010 at 5:48 PM, Jonathan Clarke <jonathan@phillipoux.net
    <mailto:jonathan@phillipoux.net>> wrote:

        On 12/08/2010 14:23, Marco Pizzoli wrote:

            Hi list,
            I'm implementing slapo-accesslog in my openldap deployment.

            I have about 100 unix/linux systems that use a central openldap
            deployment to make authentication and grant access to users.

            With accesslog I'm able to see when a particular user has logged
            in, but
            is there a way to obtain, on the LDAP server side, information about
            which system has been accessed?

        You could analyze the server's logs (not accesslog, just the syslog,
        assuming a loglevel stats) to see which client IPs are connecting.

        Jonathan Clarke - jonathan@phillipoux.net <mailto:jonathan@phillipoux.net>
        Ldap Synchronization Connector (LSC) - http://lsc-project.org

    Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
                         Jim Morrison

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/