Hi list, I'm implementing slapo-accesslog in my openldap deployment.
I have about 100 unix/linux systems that use a central openldap deployment to make authentication and grant access to users.
With accesslog I'm able to see when a particular user has logged in, but is there a way to obtain, on the LDAP server side, information about which system has been accessed?
Thanks in advance Marco
On 12/08/2010 14:23, Marco Pizzoli wrote:
Hi list, I'm implementing slapo-accesslog in my openldap deployment.
I have about 100 unix/linux systems that use a central openldap deployment to make authentication and grant access to users.
With accesslog I'm able to see when a particular user has logged in, but is there a way to obtain, on the LDAP server side, information about which system has been accessed?
You could analyze the server's logs (not accesslog, just the syslog, assuming a loglevel stats) to see which client IPs are connecting.
Jonathan
Hi Jonathan, thank's for the answer. You're right, but I'm trying to implement a report to my security management and so I'm implemementing a meta-directory on top of access-logs written by a cluster of 4-way multi-master OL instances. Having to go to retrieve logs splitted locally on 4 machines is not so effective.
What I'm searching for, if is it possibile, is a way to propagate the information of the client machine to the authentication directory. And, as a consequence, obtain that information by means of a simple LDAP search to the accesslog. If necessary, I can go to manipulate the config of client OS (nss_ldap on Linux and secldapclntd on AIX).
Thanks again Marco
On Thu, Aug 12, 2010 at 5:48 PM, Jonathan Clarke jonathan@phillipoux.netwrote:
On 12/08/2010 14:23, Marco Pizzoli wrote:
Hi list, I'm implementing slapo-accesslog in my openldap deployment.
I have about 100 unix/linux systems that use a central openldap deployment to make authentication and grant access to users.
With accesslog I'm able to see when a particular user has logged in, but is there a way to obtain, on the LDAP server side, information about which system has been accessed?
You could analyze the server's logs (not accesslog, just the syslog, assuming a loglevel stats) to see which client IPs are connecting.
Jonathan
Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org
I got your point Marco. Its a very interesting idea really, I was looking for something like that too. I'm wondering if its possible with slapo-accesslog to record the IP address from client who perform bind/unbind. If we can record this then its possible to track the user login on the server.
On Thu, Aug 12, 2010 at 1:02 PM, Marco Pizzoli marco.pizzoli@gmail.comwrote:
Hi Jonathan, thank's for the answer. You're right, but I'm trying to implement a report to my security management and so I'm implemementing a meta-directory on top of access-logs written by a cluster of 4-way multi-master OL instances. Having to go to retrieve logs splitted locally on 4 machines is not so effective.
What I'm searching for, if is it possibile, is a way to propagate the information of the client machine to the authentication directory. And, as a consequence, obtain that information by means of a simple LDAP search to the accesslog. If necessary, I can go to manipulate the config of client OS (nss_ldap on Linux and secldapclntd on AIX).
Thanks again Marco
On Thu, Aug 12, 2010 at 5:48 PM, Jonathan Clarke jonathan@phillipoux.netwrote:
On 12/08/2010 14:23, Marco Pizzoli wrote:
Hi list, I'm implementing slapo-accesslog in my openldap deployment.
I have about 100 unix/linux systems that use a central openldap deployment to make authentication and grant access to users.
With accesslog I'm able to see when a particular user has logged in, but is there a way to obtain, on the LDAP server side, information about which system has been accessed?
You could analyze the server's logs (not accesslog, just the syslog, assuming a loglevel stats) to see which client IPs are connecting.
Jonathan
Jonathan Clarke - jonathan@phillipoux.net
Ldap Synchronization Connector (LSC) - http://lsc-project.org
-- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison
Matheus Morais wrote:
I got your point Marco. Its a very interesting idea really, I was looking for something like that too. I'm wondering if its possible with slapo-accesslog to record the IP address from client who perform bind/unbind. If we can record this then its possible to track the user login on the server.
Currently slapo-accesslog does not record such information. However, you can get the relevant information using the nssov module instead of pam_ldap/nss_ldap. In that case, on successful logins you can configure the loginStatus attribute to be generated, which records the hostname where the login occurred as well as the hostname of the user's client, among other things.
On Thu, Aug 12, 2010 at 1:02 PM, Marco Pizzoli <marco.pizzoli@gmail.com mailto:marco.pizzoli@gmail.com> wrote:
Hi Jonathan, thank's for the answer. You're right, but I'm trying to implement a report to my security management and so I'm implemementing a meta-directory on top of access-logs written by a cluster of 4-way multi-master OL instances. Having to go to retrieve logs splitted locally on 4 machines is not so effective. What I'm searching for, if is it possibile, is a way to propagate the information of the client machine to the authentication directory. And, as a consequence, obtain that information by means of a simple LDAP search to the accesslog. If necessary, I can go to manipulate the config of client OS (nss_ldap on Linux and secldapclntd on AIX). Thanks again Marco On Thu, Aug 12, 2010 at 5:48 PM, Jonathan Clarke <jonathan@phillipoux.net <mailto:jonathan@phillipoux.net>> wrote: On 12/08/2010 14:23, Marco Pizzoli wrote: Hi list, I'm implementing slapo-accesslog in my openldap deployment. I have about 100 unix/linux systems that use a central openldap deployment to make authentication and grant access to users. With accesslog I'm able to see when a particular user has logged in, but is there a way to obtain, on the LDAP server side, information about which system has been accessed? You could analyze the server's logs (not accesslog, just the syslog, assuming a loglevel stats) to see which client IPs are connecting. Jonathan -- -------------------------------------------------------------- Jonathan Clarke - jonathan@phillipoux.net <mailto:jonathan@phillipoux.net> -------------------------------------------------------------- Ldap Synchronization Connector (LSC) - http://lsc-project.org -------------------------------------------------------------- -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison
Sounds great Howard, I will try this tonight!
Thanks,
Matheus Morais
On Thu, Aug 12, 2010 at 4:54 PM, Howard Chu hyc@symas.com wrote:
Matheus Morais wrote:
I got your point Marco. Its a very interesting idea really, I was looking for something like that too. I'm wondering if its possible with slapo-accesslog to record the IP address from client who perform bind/unbind. If we can record this then its possible to track the user login on the server.
Currently slapo-accesslog does not record such information. However, you can get the relevant information using the nssov module instead of pam_ldap/nss_ldap. In that case, on successful logins you can configure the loginStatus attribute to be generated, which records the hostname where the login occurred as well as the hostname of the user's client, among other things.
On Thu, Aug 12, 2010 at 1:02 PM, Marco Pizzoli <marco.pizzoli@gmail.com mailto:marco.pizzoli@gmail.com> wrote:
Hi Jonathan, thank's for the answer. You're right, but I'm trying to implement a report to my security management and so I'm implemementing a meta-directory on top of access-logs written by a cluster of 4-way multi-master OL instances. Having to go to retrieve logs splitted locally on 4 machines is not so effective.
What I'm searching for, if is it possibile, is a way to propagate the information of the client machine to the authentication directory. And, as a consequence, obtain that information by means of a simple LDAP search to the accesslog. If necessary, I can go to manipulate the config of client OS (nss_ldap on Linux and secldapclntd on AIX).
Thanks again Marco
On Thu, Aug 12, 2010 at 5:48 PM, Jonathan Clarke < jonathan@phillipoux.net mailto:jonathan@phillipoux.net> wrote:
On 12/08/2010 14:23, Marco Pizzoli wrote: Hi list, I'm implementing slapo-accesslog in my openldap deployment. I have about 100 unix/linux systems that use a central openldap deployment to make authentication and grant access to users. With accesslog I'm able to see when a particular user has
logged in, but is there a way to obtain, on the LDAP server side, information about which system has been accessed?
You could analyze the server's logs (not accesslog, just the
syslog, assuming a loglevel stats) to see which client IPs are connecting.
Jonathan -- -------------------------------------------------------------- Jonathan Clarke - jonathan@phillipoux.net <mailto:
jonathan@phillipoux.net>
-------------------------------------------------------------- Ldap Synchronization Connector (LSC) - http://lsc-project.org --------------------------------------------------------------
-- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
openldap-technical@openldap.org