[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: auditing failed login attempts

To: Quanah Gibson-Mount <quanah@zimbra.com>, "Paul B. Henson" <henson@acm.org>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: auditing failed login attempts
From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
Date: Wed, 18 Sep 2013 10:02:07 -0700
Accept-language: en-US
Acceptlanguage: en-US
Content-language: en-US
In-reply-to: <9D549F3111619BC29287C89C@[192.168.1.22]>
References: <e9bb01ceb405$a2031430$e6093c90$@acm.org> <9D549F3111619BC29287C89C@[192.168.1.22]>
Thread-index: Ac60Djjkoz4ljamyTfaQ/BpfL48+yQAfiXzA
Thread-topic: auditing failed login attempts

Caveat with using ppolicy to sync pwdfailures, etc:

I've failed in my attempts to get both of the following to work at same time:
1) passwords are actually checked (vs anything submitted for password will work)
2) and getting ppolicy pwdfailures to replicate from slaves to the master

Obviously #1 trumps #2.

Perhaps I did something wrong (along with follow up users), but no-one offered any suggestions or pointers, or things are better now.

Just make sure you test bad passwords before you assume 'authentication is working'.

Caveat Emptor.
- chris

-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Quanah Gibson-Mount
Sent: Tuesday, September 17, 2013 5:53 PM
To: Paul B. Henson; openldap-technical@openldap.org
Subject: Re: auditing failed login attempts

--On Tuesday, September 17, 2013 5:25 PM -0700 "Paul B. Henson"
<henson@acm.org> wrote:

> Our security group is hassling us because we don't currently provide
> them an audit log of failed login attempts on our LDAP servers. For
> most of our other systems, we simply provide them a syslog feed with this information.
> However, openldap doesn't appear to have a logging level that provides
> detail about login attempts on a single line, but rather across many
> lines that would need to be correlated. It seems more like connection
> debugging logging as opposed to authentication logging.
>
> It looks like we might need to set up an accesslog overlay to log all
> of the attempted binds and then have a separate process that runs
> through that and generates the syslog feed to our ISO group's central
> logging server? That's a bit more overhead than I would like.
>
> Are there any other simpler ways of generating failed login logs?

slapo-auditlog?
slapo-accesslog?

Don't know if you use it, but your security team may like you to use
ppolicy:
<http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html>

--Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra Software, LLC
--------------------
Zimbra ::  the leader in open source messaging and collaboration



This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

Follow-Ups:
- Re: auditing failed login attempts
  - From: Michael Proto <michael.proto@tstllc.net>

References:
- auditing failed login attempts
  - From: "Paul B. Henson" <henson@acm.org>
- Re: auditing failed login attempts
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: building SLES packages on openSuSE Build Service
Next by Date: Re: auditing failed login attempts
Index(es):
- Chronological
- Thread