[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: auditing failed login attempts
- To: "'Quanah Gibson-Mount'" <quanah@zimbra.com>, <openldap-technical@openldap.org>
- Subject: RE: auditing failed login attempts
- From: "Paul B. Henson" <henson@acm.org>
- Date: Wed, 18 Sep 2013 11:19:37 -0700
- Content-language: en-us
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding:thread-index :content-language; bh=E/r+BzVyy/nRxYf6xerRVN3WgBMeATcARUpXt0XK5Q0=; b=AaOlizlycTLoPlk821muMNirSjsns6f3zUKH5ZdIrEKYZHTxLqWB3QU2CKw8Dx99AN mGGXpTryfO51OocGBGqs4gOf11hUZGCPSnjDvJm2eESmRUblutKDwqZordSikS1rI5Qv jXM3WWPsuP53jcQIQTqnoOvvMxp75TND4aJnGAihb5XKJ6aFbn4lCmAsFSqV8HOxYCWO tlbIJA2F1iT4fvM3oWt0EnOuKabg7eWxAJasrN3HacnztYLCUXAMwAwyGwcXQLS2lEKV nqMXFreCPlvHE863nqX+piPKnh0K86z6AuBR+s6t+7vUr3WKKUtWyTThDfSzYjCXyrn+ d+pQ==
- In-reply-to: <9D549F3111619BC29287C89C@[192.168.1.22]>
- References: <e9bb01ceb405$a2031430$e6093c90$@acm.org> <9D549F3111619BC29287C89C@[192.168.1.22]>
- Thread-index: AQE7ZxUYtWAOQsexVEMs4Q4d+V20FAKIRNdCmt4ls2A=
> From: Quanah Gibson-Mount [mailto:quanah@zimbra.com]
>
> slapo-auditlog?
>From the documentation, it looks like that only logs changes, not
accesses/binds?
> slapo-accesslog?
That is one of the options I mentioned in my initial inquiry, it's just
going to induce a bit more overhead than I would like as far as getting our
security group the plaintext log records they want. It would be nice if one
of the syslog options simply included authentication logging that included
everything (username, source IP, success/failure) on one line. Also, can you
have more than one accesslog overlay for a given database? We're currently
using regular syncrepl, but plan to transition to delta syncrepl, which also
requires an accesslog overlay.
> Don't know if you use it, but your security team may like you to use
> policy
We don't currently, we are actually using a central identity management
system for account/password expiration and history; however, our security
group is pushing us to enable failed login lockout, so we will most likely
be looking into it soon.
Thanks much.