Did; didn't work without other options which then resulted in the defeat of the purpose of passwords.
See: http://www.openldap.org/lists/openldap-technical/201005/msg00001.html
The configs in that message (from May 2010) weren't the only configs I tried, but it seemed the most correct as a starting point when seeking a hand.
- chris
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Michael Proto Sent: Wednesday, September 18, 2013 10:48 AM To: Chris Jacobs Cc: openldap-technical@openldap.org Subject: Re: auditing failed login attempts
Regarding #2, you do have ppolicy_forward_updates enabled in your configuration, correct?
-Michael Proto
On Wed, Sep 18, 2013 at 1:02 PM, Chris Jacobs <Chris.Jacobs@apollogrp.edumailto:Chris.Jacobs@apollogrp.edu> wrote: Caveat with using ppolicy to sync pwdfailures, etc:
I've failed in my attempts to get both of the following to work at same time: 1) passwords are actually checked (vs anything submitted for password will work) 2) and getting ppolicy pwdfailures to replicate from slaves to the master
Obviously #1 trumps #2.
Perhaps I did something wrong (along with follow up users), but no-one offered any suggestions or pointers, or things are better now.
Just make sure you test bad passwords before you assume 'authentication is working'.
Caveat Emptor. - chris
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.orgmailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Quanah Gibson-Mount Sent: Tuesday, September 17, 2013 5:53 PM To: Paul B. Henson; openldap-technical@openldap.orgmailto:openldap-technical@openldap.org Subject: Re: auditing failed login attempts
--On Tuesday, September 17, 2013 5:25 PM -0700 "Paul B. Henson" <henson@acm.orgmailto:henson@acm.org> wrote:
Our security group is hassling us because we don't currently provide them an audit log of failed login attempts on our LDAP servers. For most of our other systems, we simply provide them a syslog feed with this information. However, openldap doesn't appear to have a logging level that provides detail about login attempts on a single line, but rather across many lines that would need to be correlated. It seems more like connection debugging logging as opposed to authentication logging.
It looks like we might need to set up an accesslog overlay to log all of the attempted binds and then have a separate process that runs through that and generates the syslog feed to our ISO group's central logging server? That's a bit more overhead than I would like.
Are there any other simpler ways of generating failed login logs?
slapo-auditlog? slapo-accesslog?
Don't know if you use it, but your security team may like you to use ppolicy: http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.