I have successfully configured ppolicy on a test server and everything works as it should; except one small detail that isn’t strictly necessary, but very useful to monitor the “state of affairs”.

 

The slapd log doesn’t seem to include any information to indicate that an account has just been locked due to password policies. This information would be very useful for automatic log monitoring, because a high number of accounts being locked in a short period of time could indicate some kind of problem or attack against our systems via some supposedly secure client. The only thing I use password policies for is locking down accounts temporarily after repeated authentication failures. The LDAP catalogue isn’t the place where passwords are actually set or changed.

 

I’ve tried configuring the auditlog overlay, imagining it would log the locking of an account somehow, but I haven’t actually been able to make it work. There are no errors in the slapd log when loading the module, but the auditlog log file is always empty, even after running ldapmodify on a “cn” attribute for a random person.

 

Snippets from the slapd.conf (for testing purposes I’ve enabled and disabled ppolicy_use_lockout to see if it also had an effect in the logs, but nothing):

 

[…]

loglevel        stats config cons

[…]

database        bdb

[…]

overlay auditlog

auditlog /var/log/slapd_audit.log

 

overlay ppolicy

ppolicy_default "cn=default,ou=policies,dc=uit,dc=no"

ppolicy_use_lockout

[…]

 

This server is a test server, the production servers are slaves in a master–slave configuration using syncrepl. The server version is 2.4.23. Getting auditlog to work is not a priority, what I really want is to be able to monitor locking of accounts.

 

Does anybody have ideas around these issues? Maybe a new approach?

 

Regards,

Remi Mikalsen