[Date Prev][Date Next] [Chronological] [Thread] [Top]

Patch to log failed simple binds (ITS#1809)

Full_Name: John Dalbec
Version: 2.0.21
OS: Red Hat Linux 7.1
URL: ftp://ftp.openldap.org/incoming/John-Dalbec-020508.patch
Submission from: (NULL) (

OpenLDAP does not provide logging of failed LDAP binds.
This makes it possible for an attacker to brute-force LDAP passwords without
alerting the system administrator.
I propose the following patch (against CVS) to log failed simple LDAP binds. 
(I'm not sure how to log failed SASL binds.  Or does that happen already?)
I'm not sure of the best loglevel to use for this.  I've selected LOG_WARNING
but you may prefer another choice.  I built the message content from the
message for a successful bind, adding the peername to avoid having to log all
connections in order to be able to trace them back to an IP.
Constructive feedback appreciated, thanks.