Many thanks, Emmanuel, for your quick reply.
That is certainly helping me figure out what is going on. It looks like one or two of the client systems aren't correctly configured and this is helping me pin them down.
Regards
Philip
On 1 April 2016 at 11:49, Emmanuel Lécharny elecharny@gmail.com wrote:
Le 01/04/16 12:45, Philip Colmer a écrit :
I've currently got stats logging turned on while I try to troubleshoot an application and I've noticed some rather strange searches going on. Strange in that the searches are for very high uidNumber values or for uid values that don't exist ... suggesting that someone might be trying to grab data from our server.
What I'm struggling with is trying to figure out from the logs (a) the IP address that these queries are coming from and/or (b) the authenticated account being used (even if anonymous).
For example, if I have a log line like this:
conn=1928683 op=24 SRCH base="ou=accounts,dc=linaro,dc=org" scope=2 deref=0 filter="(&(uid=tftp)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
is there anything I can do with the conn or op values to connect that particular search query to an earlier logged BIND log entry?
Just grep your log for 'conn=1928683', it will give you all the history for the 'user' that did the search.
Now, FTR, that serach really looks like a PAM LDAP or a SSSD search. Pretty standard.