[Simple-evcorr-users] detecting LDAP authentication failures (long)

Mon, 13 Apr 2009 10:01:37 -0700 

Good morning all.
I'm working with an older version of an LDAP server that doesn't support syslog in any form. As a result I'm having to read through the LDAP server's access logs. I'm trying to detect successful & failed authentication attempts and then write an event to syslog (so our central loghost can read it). 

What I want out are syslog entries that look more or less like this:


Mar 7 04:30:50 ldap-server ldap: [conn=14758663] Authentication  
succeeded for username1 from 1.1.1.2
Mar 7 04:43:43 ldap-server ldap: [conn=14758706] Authentication failed  
for username2 from 1.1.1.3




Here's my problem. I can find the conn#, the ip, the username, and  
detect success/failure. I'm currently doing that by dumping all that  
info into a context in NAME=value pairs. To write it out, I've had to  
call an external perl script to parse the context dump and return a  
reasonable one-line string. There has to be a better way.



I'd appreciate any advice.  Below, I've listed a sample success &  
failure, as well as the rules I'm currently using.


======


Here's a successful authentication (note that err=0):

[07/Mar/2009:04:31:50 -0600] conn=14758663 op=-1 msgId=-1 - fd=53  
slot=53 LDAP connection from 1.1.1.2 to 1.1.1.1
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=0 msgId=1 - BIND dn=""  
method=128 version=3
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=0 msgId=1 - RESULT err=0  
tag=97 nentries=0 etime=0 dn=""
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=1 msgId=2 - SRCH  
base="ou=myou,o=domain.com" scope=2 filter="(uid=username1)" attrs=ALL
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=1 msgId=2 - RESULT err=0  
tag=101 nentries=1 etime=0
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=2 msgId=3 - ABANDON  
targetop=NOTFOUND msgid=2
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=3 msgId=4 - BIND  
dn="uid=username1,ou=myou,o=domain.com" method=128 version=3
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=3 msgId=4 - RESULT err=0  
tag=97 nentries=0 etime=0 dn="uid=username1,ou=myou,o=domain.com"

[07/Mar/2009:04:31:50 -0600] conn=14758663 op=4 msgId=5 - UNBIND
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=4 msgId=-1 - closing - U1
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=-1 msgId=-1 - closed.

Here's an unsuccessful authentication (note that err=49):

[07/Mar/2009:04:43:43 -0600] conn=14758706 op=-1 msgId=-1 - fd=91  
slot=91 LDAP connection from 1.1.1.3 to 1.1.1.1
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=0 msgId=1 - BIND dn=""  
method=128 version=3
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=0 msgId=1 - RESULT err=0  
tag=97 nentries=0 etime=0 dn=""
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=1 msgId=2 - SRCH  
base="ou=myou,o=domain.com" scope=2 filter="(uid=username2)" attrs=ALL
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=1 msgId=2 - RESULT err=0  
tag=101 nentries=1 etime=0
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=2 msgId=3 - ABANDON  
targetop=NOTFOUND msgid=2
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=3 msgId=4 - BIND  
dn="uid=username2,ou=myou,o=domain.com" method=128 version=3
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=3 msgId=4 - RESULT  
err=49 tag=97 nentries=0 etime=0

[07/Mar/2009:04:43:43 -0600] conn=14758706 op=4 msgId=5 - UNBIND
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=4 msgId=-1 - closing - U1
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=-1 msgId=-1 - closed.


I've almost got this. Here's the ruleset so far:

# notice the beginning of a connection.
# create a context named for the conn#, add timestamp and source ip.
type=single
continue=takenext
ptype=regexp

pattern=\[([^ ]+) .*\] conn=(\d+) .* LDAP connection from (\d{1,3}\. 
\d{1,3}\.\d{1,3}\.\d{1,3}) to

desc=LDAP session opened from $3
action=create ldap_conn_$2;\
        add ldap_conn_$2 LDAP_STAMP=$1;\
        add ldap_conn_$2 LDAP_IP=$3;

# notice the bind attempt, add the uid to the context.
type=single
continue=takenext
ptype=regexp
pattern=conn=(\d+) .*BIND dn=\"uid=(\w+),
context=ldap_conn_$1
desc=LDAP session $1 uid is $2
action=add ldap_conn_$1 LDAP_UID=$2;

# catch an authentication failure.
type=single
continue=takenext
ptype=regexp
pattern=conn=(\d+).*RESULT err=49
context=ldap_conn_$1
desc=LDAP connection $1 has bad credentials
action=report ldap_conn_$1 $HOME/bin/ldap-bad-auth.pl


# catch the rest
type=single
continue=takenext
ptype=regexp
pattern=conn=(\d+)
context=ldap_conn_$1
desc=LDAP session event for $1
action=none

# catch the end of the connection. delete the context
type=single
ptype=regexp
pattern=conn=(\d+) .* - closing -
context=ldap_conn_$1
desc=LDAP session closed for $1
action=delete ldap_conn_$1


--
Don Faulkner
[email protected]


------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users






















					Reply via email to