I thought I'd share my final solution with the list. My solution was
to construct the event message on the fly, and use the context to
store it when it's not being manipulated. When the message is built, I
call the built-in logger(1) command to write this to syslog. For some
reason, action=logonly didn't put the event in the proper facility. I
may blame weird solaris facility definitions there...
So what I want is to see a message in syslog that looks like this:
Apr 17 01:23:45 ldapserver1 ldap-ldapserver1: [ID ##### auth.info]
[conn=######] LDAP authentication failed for username from 1.1.1.3
Here's the config, somewhat commented.
======
# Detect beginning of connections, either LDAP or LDAPS. We really
care about
# IP address, but we'll preserve conn # for the context, and for
future reference.
The string in the context looks like "from 1.2.2.3"
type=Single
continue=DontCont
ptype=RegExp
pattern=\[[^ ]+ .*\] conn=(\d+) .* LDAPS? connection from (\d{1,3}\.
\d{1,3}\.\d{1,3}\.\d{1,3}) to
desc=[conn=$1] LDAP session opened from $3
action=create LDAP_CONN_$1 600;\
add LDAP_CONN_$1 from $2
# Detect a user attempting to bind. We're interested in the uid.
# create a new context ending in _UID, so we know we found a bind
request.
# This prevents us from reporting on non-bind operations.
# Pull the context out and tack on the new information, writing it back.
# when done, the context string looks like "for user from 1.2.2.3"
type=Single
continue=DontCont
ptype=RegExp
pattern=conn=(\d+) .*BIND dn=\"uid=(\w+),
context=LDAP_CONN_$1
desc=[conn=$1] LDAP session uid is $2
action=create LDAP_CONN_$1_UID;\
copy LDAP_CONN_$1 %srcip;\
fill LDAP_CONN_$1 for $2 %srcip
# Detect miscellaneous events in the connection. Right now, we do
nothing
# but we could add functionality here later.
type=Single
continue=TakeNext
ptype=RegExp
pattern=conn=(\d+)
context=LDAP_CONN_$1
desc=[conn=$1] LDAP session event for $1
action=none
# Detect failure, which is an err=49. Only do something if the failure
is related
# to a bind context (_UID)
# rewrite the context string to look like
# "LDAP authentication failed for user from 1.2.2.3"
# Send the string to logger and thence to syslog.
# Destroy the contexts so we can't mistakenly do something else later.
type=Single
ptype=RegExp
pattern=conn=(\d+).*RESULT err=49
context=LDAP_CONN_$1_UID
desc=[conn=$1] LDAP authentication failed
action=copy LDAP_CONN_$1 %user;\
fill LDAP_CONN_$1 %s %user;\
report LDAP_CONN_$1 logger -p auth.info -t ldap-servername;\
delete LDAP_CONN_$1; delete LDAP_CONN_$1_UID
# Detect success, which is an err=0. Only do something if the success
is related
# to a bind context (_UID)
# rewrite the context string to look like
# "LDAP authentication succeeded for user from 1.2.2.3"
# Send the string to logger and thence to syslog.
# Destroy the contexts so we can't mistakenly do something else later.
type=Single
ptype=RegExp
pattern=conn=(\d+).*RESULT err=0
context=LDAP_CONN_$1_UID
desc=[conn=$1] LDAP authentication succeeded
action=copy LDAP_CONN_$1 %user;\
fill LDAP_CONN_$1 %s %user;\
report LDAP_CONN_$1 logger -p auth.info -t ldap-servername;\
delete LDAP_CONN_$1; delete LDAP_CONN_$1_UID
# Detect the end of the connection.
# Destroy the contexts just to be sure.
type=Single
ptype=RegExp
pattern=conn=(\d+) .* - closing -
context=LDAP_CONN_$1
desc=[conn=$1] LDAP session closed
action=delete LDAP_CONN_$1; delete LDAP_CONN_$1_UID
#action=delete LDAP_CONN_$1
--
Don Faulkner
[email protected]
On Apr 15, 2009, at 9:34 AM, Mills, Rocky wrote:
Instead of adding values to a context you could save the values in a
perl hash formatting as you go along.
For example (not tested):
Rule action collecting IP per connection:
action=eval %ip_msg ($ldap_conn{$1} = “from IP address $2”; return
$ldap_conn{$1}; )
Rule action collecting UID per connection (notice concatenation
period before ‘=’ sign):
action=eval %uid_msg ($ldap_conn{$1} .= “ per user $2”; return
$ldap_conn{$1}; )
Success rule action:
action=eval %success_msg (my $msg = “conn=$1 authentication
succeeded $ldap_conn{$1}”; delete $ldap_conn{$1}; return $msg;)
Failure rule action:
action=eval %failure_msg (my $msg = “conn=$1 authentication failed
$ldap_conn{$1}”; delete $ldap_conn{$1}; return $msg;)
You’d save the preferred log’s timestamp somewhere in there.
Regards,
Rock
From: Don Faulkner [mailto:[email protected]]
Sent: Monday, April 13, 2009 12:58 PM
To: [email protected]
Subject: [Simple-evcorr-users] detecting LDAP authentication
failures (long)
Good morning all.
I'm working with an older version of an LDAP server that doesn't
support syslog in any form. As a result I'm having to read through
the LDAP server's access logs. I'm trying to detect successful &
failed authentication attempts and then write an event to syslog (so
our central loghost can read it).
What I want out are syslog entries that look more or less like this:
Mar 7 04:30:50 ldap-server ldap: [conn=14758663] Authentication
succeeded for username1 from 1.1.1.2
Mar 7 04:43:43 ldap-server ldap: [conn=14758706] Authentication
failed for username2 from 1.1.1.3
Here's my problem. I can find the conn#, the ip, the username, and
detect success/failure. I'm currently doing that by dumping all that
info into a context in NAME=value pairs. To write it out, I've had
to call an external perl script to parse the context dump and return
a reasonable one-line string. There has to be a better way.
I'd appreciate any advice. Below, I've listed a sample success &
failure, as well as the rules I'm currently using.
======
Here's a successful authentication (note that err=0):
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=-1 msgId=-1 - fd=53
slot=53 LDAP connection from 1.1.1.2 to 1.1.1.1
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=0 msgId=1 - BIND dn=""
method=128 version=3
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=0 msgId=1 - RESULT
err=0 tag=97 nentries=0 etime=0 dn=""
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=1 msgId=2 - SRCH
base="ou=myou,o=domain.com" scope=2 filter="(uid=username1)" attrs=ALL
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=1 msgId=2 - RESULT
err=0 tag=101 nentries=1 etime=0
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=2 msgId=3 - ABANDON
targetop=NOTFOUND msgid=2
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=3 msgId=4 - BIND
dn="uid=username1,ou=myou,o=domain.com" method=128 version=3
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=3 msgId=4 - RESULT
err=0 tag=97 nentries=0 etime=0
dn="uid=username1,ou=myou,o=domain.com"
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=4 msgId=5 - UNBIND
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=4 msgId=-1 - closing -
U1
[07/Mar/2009:04:31:50 -0600] conn=14758663 op=-1 msgId=-1 - closed.
Here's an unsuccessful authentication (note that err=49):
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=-1 msgId=-1 - fd=91
slot=91 LDAP connection from 1.1.1.3 to 1.1.1.1
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=0 msgId=1 - BIND dn=""
method=128 version=3
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=0 msgId=1 - RESULT
err=0 tag=97 nentries=0 etime=0 dn=""
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=1 msgId=2 - SRCH
base="ou=myou,o=domain.com" scope=2 filter="(uid=username2)" attrs=ALL
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=1 msgId=2 - RESULT
err=0 tag=101 nentries=1 etime=0
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=2 msgId=3 - ABANDON
targetop=NOTFOUND msgid=2
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=3 msgId=4 - BIND
dn="uid=username2,ou=myou,o=domain.com" method=128 version=3
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=3 msgId=4 - RESULT
err=49 tag=97 nentries=0 etime=0
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=4 msgId=5 - UNBIND
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=4 msgId=-1 - closing -
U1
[07/Mar/2009:04:43:43 -0600] conn=14758706 op=-1 msgId=-1 - closed.
I've almost got this. Here's the ruleset so far:
# notice the beginning of a connection.
# create a context named for the conn#, add timestamp and source ip.
type=single
continue=takenext
ptype=regexp
pattern=\[([^ ]+) .*\] conn=(\d+) .* LDAP connection from (\d{1,3}\.
\d{1,3}\.\d{1,3}\.\d{1,3}) to
desc=LDAP session opened from $3
action=create ldap_conn_$2;\
add ldap_conn_$2 LDAP_STAMP=$1;\
add ldap_conn_$2 LDAP_IP=$3;
# notice the bind attempt, add the uid to the context.
type=single
continue=takenext
ptype=regexp
pattern=conn=(\d+) .*BIND dn=\"uid=(\w+),
context=ldap_conn_$1
desc=LDAP session $1 uid is $2
action=add ldap_conn_$1 LDAP_UID=$2;
# catch an authentication failure.
type=single
continue=takenext
ptype=regexp
pattern=conn=(\d+).*RESULT err=49
context=ldap_conn_$1
desc=LDAP connection $1 has bad credentials
action=report ldap_conn_$1 $HOME/bin/ldap-bad-auth.pl
# catch the rest
type=single
continue=takenext
ptype=regexp
pattern=conn=(\d+)
context=ldap_conn_$1
desc=LDAP session event for $1
action=none
# catch the end of the connection. delete the context
type=single
ptype=regexp
pattern=conn=(\d+) .* - closing -
context=ldap_conn_$1
desc=LDAP session closed for $1
action=delete ldap_conn_$1
--
Don Faulkner
[email protected]
*****
The information transmitted is intended only for the person or
entity to which it is addressed and may contain confidential,
proprietary, and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance
upon this information by persons or entities other than the intended
recipient is prohibited. If you received this in error, please
contact the sender and delete the material from all computers. GA623
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
