Re: auditing failed login attempts

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Tuesday, September 17, 2013 5:25 PM -0700 "Paul B. Henson" 
<henson@acm.org> wrote:

> Our security group is hassling us because we don't currently provide them
> an audit log of failed login attempts on our LDAP servers. For most of our
> other systems, we simply provide them a syslog feed with this information.
> However, openldap doesn't appear to have a logging level that provides
> detail about login attempts on a single line, but rather across many lines
> that would need to be correlated. It seems more like connection debugging
> logging as opposed to authentication logging.
>
> It looks like we might need to set up an accesslog overlay to log all of
> the attempted binds and then have a separate process that runs through
> that and generates the syslog feed to our ISO group's central logging
> server? That's a bit more overhead than I would like.
>
> Are there any other simpler ways of generating failed login logs?

slapo-auditlog?
slapo-accesslog?

Don't know if you use it, but your security team may like you to use 
ppolicy:
<http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html>

--Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra Software, LLC
--------------------
Zimbra ::  the leader in open source messaging and collaboration