Sounds great Howard, I will try this tonight! Thanks,
Matheus Morais On Thu, Aug 12, 2010 at 4:54 PM, Howard Chu <[email protected]> wrote: > Matheus Morais wrote: > >> I got your point Marco. Its a very interesting idea really, I was looking >> for >> something like that too. I'm wondering if its possible with >> slapo-accesslog to >> record the IP address from client who perform bind/unbind. If we can >> record >> this then its possible to track the user login on the server. >> > > Currently slapo-accesslog does not record such information. However, you > can get the relevant information using the nssov module instead of > pam_ldap/nss_ldap. In that case, on successful logins you can configure the > loginStatus attribute to be generated, which records the hostname where the > login occurred as well as the hostname of the user's client, among other > things. > >> >> On Thu, Aug 12, 2010 at 1:02 PM, Marco Pizzoli <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Jonathan, thank's for the answer. >> You're right, but I'm trying to implement a report to my security >> management and so I'm implemementing a meta-directory on top of >> access-logs written by a cluster of 4-way multi-master OL instances. >> Having to go to retrieve logs splitted locally on 4 machines is not so >> effective. >> >> What I'm searching for, if is it possibile, is a way to propagate the >> information of the client machine to the authentication directory. >> And, as a consequence, obtain that information by means of a simple >> LDAP >> search to the accesslog. >> If necessary, I can go to manipulate the config of client OS (nss_ldap >> on >> Linux and secldapclntd on AIX). >> >> Thanks again >> Marco >> >> >> On Thu, Aug 12, 2010 at 5:48 PM, Jonathan Clarke < >> [email protected] >> <mailto:[email protected]>> wrote: >> >> On 12/08/2010 14:23, Marco Pizzoli wrote: >> >> Hi list, >> I'm implementing slapo-accesslog in my openldap deployment. >> >> I have about 100 unix/linux systems that use a central openldap >> deployment to make authentication and grant access to users. >> >> With accesslog I'm able to see when a particular user has >> logged >> in, but >> is there a way to obtain, on the LDAP server side, information >> about >> which system has been accessed? >> >> >> You could analyze the server's logs (not accesslog, just the >> syslog, >> assuming a loglevel stats) to see which client IPs are connecting. >> >> Jonathan >> -- >> -------------------------------------------------------------- >> Jonathan Clarke - [email protected] <mailto: >> [email protected]> >> >> -------------------------------------------------------------- >> Ldap Synchronization Connector (LSC) - http://lsc-project.org >> -------------------------------------------------------------- >> >> >> >> >> -- >> _________________________________________ >> Non รจ forte chi non cade, ma chi cadendo ha la forza di rialzarsi. >> Jim Morrison >> >> >> > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >
