[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Evidence of client information in openldap accesslog

Sounds great Howard, I will try this tonight!


Matheus Morais

On Thu, Aug 12, 2010 at 4:54 PM, Howard Chu <hyc@symas.com> wrote:
Matheus Morais wrote:
I got your point Marco. Its a very interesting idea really, I was looking for
something like that too. I'm wondering if its possible with slapo-accesslog to
record the IP address from client who perform bind/unbind. If we can record
this then its possible to track the user login on the server.

Currently slapo-accesslog does not record such information. However, you can get the relevant information using the nssov module instead of pam_ldap/nss_ldap. In that case, on successful logins you can configure the loginStatus attribute to be generated, which records the hostname where the login occurred as well as the hostname of the user's client, among other things.

On Thu, Aug 12, 2010 at 1:02 PM, Marco Pizzoli <marco.pizzoli@gmail.com
<mailto:marco.pizzoli@gmail.com>> wrote:

   Hi Jonathan, thank's for the answer.
   You're right, but I'm trying to implement a report to my security
   management and so I'm implemementing a meta-directory on top of
   access-logs written by a cluster of 4-way multi-master OL instances.
   Having to go to retrieve logs splitted locally on 4 machines is not so

   What I'm searching for, if is it possibile, is a way to propagate the
   information of the client machine to the authentication directory.
   And, as a consequence, obtain that information by means of a simple LDAP
   search to the accesslog.
   If necessary, I can go to manipulate the config of client OS (nss_ldap on
   Linux and secldapclntd on AIX).

   Thanks again

   On Thu, Aug 12, 2010 at 5:48 PM, Jonathan Clarke <jonathan@phillipoux.net
   <mailto:jonathan@phillipoux.net>> wrote:

       On 12/08/2010 14:23, Marco Pizzoli wrote:

           Hi list,
           I'm implementing slapo-accesslog in my openldap deployment.

           I have about 100 unix/linux systems that use a central openldap
           deployment to make authentication and grant access to users.

           With accesslog I'm able to see when a particular user has logged
           in, but
           is there a way to obtain, on the LDAP server side, information about
           which system has been accessed?

       You could analyze the server's logs (not accesslog, just the syslog,
       assuming a loglevel stats) to see which client IPs are connecting.

       Jonathan Clarke - jonathan@phillipoux.net <mailto:jonathan@phillipoux.net>

       Ldap Synchronization Connector (LSC) - http://lsc-project.org

   Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
                        Jim Morrison

 -- Howard Chu
 CTO, Symas Corp.           http://www.symas.com
 Director, Highland Sun     http://highlandsun.com/hyc/
 Chief Architect, OpenLDAP  http://www.openldap.org/project/