I have successfully configured ppolicy on a test server and everything
works as it should; except one small detail that isn't strictly necessary,
but very useful to monitor the "state of affairs".
The slapd log doesn't seem to include any information to indicate that an
account has just been locked due to password policies. This information
would be very useful for automatic log monitoring, because a high number
of accounts being locked in a short period of time could indicate some
kind of problem or attack against our systems via some supposedly secure
client. The only thing I use password policies for is locking down
accounts temporarily after repeated authentication failures. The LDAP
catalogue isn't the place where passwords are actually set or changed.
I've tried configuring the auditlog overlay, imagining it would log the
locking of an account somehow, but I haven't actually been able to make it
work. There are no errors in the slapd log when loading the module, but
the auditlog log file is always empty, even after running ldapmodify on a
"cn" attribute for a random person.
Snippets from the slapd.conf (for testing purposes I've enabled and
disabled ppolicy_use_lockout to see if it also had an effect in the logs,
loglevel stats config cons
This server is a test server, the production servers are slaves in a
master-slave configuration using syncrepl. The server version is 2.4.23.
Getting auditlog to work is not a priority, what I really want is to be
able to monitor locking of accounts.
Does anybody have ideas around these issues? Maybe a new approach?
Show replies by date