Regarding #2, you do have ppolicy_forward_updates enabled in your configuration, correct?
-Michael Proto On Wed, Sep 18, 2013 at 1:02 PM, Chris Jacobs <[email protected]>wrote: > Caveat with using ppolicy to sync pwdfailures, etc: > > I've failed in my attempts to get both of the following to work at same > time: > 1) passwords are actually checked (vs anything submitted for password will > work) > 2) and getting ppolicy pwdfailures to replicate from slaves to the master > > Obviously #1 trumps #2. > > Perhaps I did something wrong (along with follow up users), but no-one > offered any suggestions or pointers, or things are better now. > > Just make sure you test bad passwords before you assume 'authentication is > working'. > > Caveat Emptor. > - chris > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Quanah Gibson-Mount > Sent: Tuesday, September 17, 2013 5:53 PM > To: Paul B. Henson; [email protected] > Subject: Re: auditing failed login attempts > > --On Tuesday, September 17, 2013 5:25 PM -0700 "Paul B. Henson" > <[email protected]> wrote: > > > Our security group is hassling us because we don't currently provide > > them an audit log of failed login attempts on our LDAP servers. For > > most of our other systems, we simply provide them a syslog feed with > this information. > > However, openldap doesn't appear to have a logging level that provides > > detail about login attempts on a single line, but rather across many > > lines that would need to be correlated. It seems more like connection > > debugging logging as opposed to authentication logging. > > > > It looks like we might need to set up an accesslog overlay to log all > > of the attempted binds and then have a separate process that runs > > through that and generates the syslog feed to our ISO group's central > > logging server? That's a bit more overhead than I would like. > > > > Are there any other simpler ways of generating failed login logs? > > slapo-auditlog? > slapo-accesslog? > > Don't know if you use it, but your security team may like you to use > ppolicy: > < > http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html > > > > --Quanah > > -- > > Quanah Gibson-Mount > Lead Engineer > Zimbra Software, LLC > -------------------- > Zimbra :: the leader in open source messaging and collaboration > > > > This message is private and confidential. If you have received it in > error, please notify the sender and remove it from your system. > > > >
