I have successfully configured ppolicy on a
test server and everything works as it should; except one small detail that isn’t
strictly necessary, but very useful to monitor the “state of affairs”.
The slapd log doesn’t seem to include
any information to indicate that an account has just been locked due to
password policies. This information would be very useful for automatic log
monitoring, because a high number of accounts being locked in a short period of
time could indicate some kind of problem or attack against our systems via some
supposedly secure client. The only thing I use password policies for is locking
down accounts temporarily after repeated authentication failures. The LDAP
catalogue isn’t the place where passwords are actually set or changed.
I’ve tried configuring the auditlog
overlay, imagining it would log the locking of an account somehow, but I haven’t
actually been able to make it work. There are no errors in the slapd log when
loading the module, but the auditlog log file is always empty, even after
running ldapmodify on a “cn” attribute for a random person.
Snippets from the slapd.conf (for testing
purposes I’ve enabled and disabled ppolicy_use_lockout to see if it also
had an effect in the logs, but nothing):
[…]
loglevel
stats config cons
[…]
database
bdb
[…]
overlay auditlog
auditlog /var/log/slapd_audit.log
overlay ppolicy
ppolicy_default
"cn=default,ou=policies,dc=uit,dc=no"
ppolicy_use_lockout
[…]
This server is a test server, the production
servers are slaves in a master–slave configuration using syncrepl. The
server version is 2.4.23. Getting auditlog to work is not a priority, what I
really want is to be able to monitor locking of accounts.
Does anybody have ideas around these issues?
Maybe a new approach?
Regards,
Remi Mikalsen