Have you looked at the audit logs ?
Use the below ldif to enable them.
dn: cn=config
changetype: modify
replace: nsslapd-auditlog-logging-enabled
nsslapd-auditlog-logging-enabled: on
This will write to 'audit' file in the same dir as 'access' and 'errors'
log file.
On 14 October 2016 at 02:20,
user authentication errors are usually recorded on the client end.
On Thu, Oct 13, 2016 at 4:47 PM, Jason Nielsen wrote:
> Im looking for ways to pull a number of audit events from 389. Such as:
>
> -User authentication success and failures.
> -Group additions, removals and