Erik Romjin writes: > I'm running OpenLDAP 2.2.23 for user authentication. As I would like > to see bruteforce attempts for user passwords I would like OpenLDAP to > log all failed binds (preferably without the entered, incorrect, > password).
OpenLDAP does syslog that, when loglevel 256 or better is used. (I don't remember if this is new since 2.2.23 but I'm pretty sure it is not.) This loglevel logs most requests and responses. Some erroneous cases are not logged, like many protocol errors - including binds with unsupported critical controls. On the other hand, StartTLS requests were not logged before OpenLDAP 2.3.6. Since you hopefully do not allow Simple Bind with password at all over unprotected connections, then maybe that is what you were missing - a log of failed attempts to establish TLS/SSL, after which the connections were closed. Anyway, put "loglevel 256" in slapd.conf (though I think that's the default) and something like this in /etc/syslog.conf: local4.* /filename/for/ldap/logs so syslog will log what slapd sends. You may also need to set up logrotate in cron so the ldap logs get rotated and deleted. -- Hallvard
