You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Tou-Soua Heu <to...@fico.com> on 2014/06/12 20:47:04 UTC
Auditing if anonymous LDAP connections are being made
How can you check if there are anonymous LDAP connections to ApacheDS 2.0?
According to the user manual (section 5.3.1 Logs overview, see https://directory.apache.org/apacheds/advanced-ug/5.3-logs.html ) this should work but it seems to log anything:
# Logs all executed operations (search, add, delete, etc.)
log4j.logger.org.apache.directory.server.OPERATION_LOG=DEBUG
# Logs all incoming and outgoing LDAP Protocol requests/responses
log4j.logger.org.apache.directory.api.CODEC_LOG=DEBUG
So I ended up with changing "log4j.rootCategory=DEBUG". Unfortunately this puts a lot of noise in the apacheds.log file. In this case, what is the log entry that records the LDAP connection look like and what does it say when it’s anonymous vs. authenticated?
Thanks.
Re: Auditing if anonymous LDAP connections are being made
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 13/06/2014 17:43, Mark D a écrit :
> Log files shouldn't be the only test, we still test against the server to verify.
Obviously !
>
> I would have to second the request assuming there is no auditing currently in place, I haven't needed it yet !
Nevertheless, I think it's a must have in the server. Producing log is
easy, producing good logs is moe complicated, this is why a feature
request with a clear description of what would be a decent log could
help. It's a matter of minutes to change the server to deliver those logs...
> This seems trivial to implement. Another logger / file just for AUDIT.
Indeed. Alas, it has to be consistent...
Re: Auditing if anonymous LDAP connections are being made
Posted by Mark D <te...@debusschere.com>.
Log files shouldn't be the only test, we still test against the server to verify.
I would have to second the request assuming there is no auditing currently in place, I haven't needed it yet !
It wouldn't be allowed in our PCI environments without sufficient audit records.
This seems trivial to implement. Another logger / file just for AUDIT.
----- Original Message -----
From: "Tou-Soua Heu" <to...@fico.com>
To: users@directory.apache.org
Sent: Friday, June 13, 2014 8:34:18 AM
Subject: RE: Auditing if anonymous LDAP connections are being made
I will raise a request.
The business case is for secure environments, like at a Financial institution (eg. Bank Of America) or Government agency (e.g. Department of Defense), all LDAP connections must be authenticated (meaning no anonymous connection allowed). Currently we have no method to prove that ApacheDS meets this requirement: the fact we unchecked the "Allow Anonymous Access" in the configuration setting isn't sufficient to prove compliancy. We need to demonstrate this is actually happening and one way is via either a server status about the identity of current connections or logging of identity connections.
Thanks.
-----Original Message-----
From: Kiran Ayyagari [mailto:kayyagari@apache.org]
Sent: Friday, June 13, 2014 1:11 AM
To: users@directory.apache.org
Subject: Re: Auditing if anonymous LDAP connections are being made
On Fri, Jun 13, 2014 at 12:17 AM, Tou-Soua Heu <to...@fico.com> wrote:
> How can you check if there are anonymous LDAP connections to ApacheDS 2.0?
>
> there is no way right now (other than looking at the debug logs, which
> is
painful)
if you can raise a feature request with enough details about the usecase we might consider to implement it.
thank you
>
>
> According to the user manual (section 5.3.1 Logs overview, see
> https://directory.apache.org/apacheds/advanced-ug/5.3-logs.html ) this
> should work but it seems to log anything:
>
>
>
> # Logs all executed operations (search, add, delete, etc.)
>
> log4j.logger.org.apache.directory.server.OPERATION_LOG=DEBUG
>
> # Logs all incoming and outgoing LDAP Protocol requests/responses
>
> log4j.logger.org.apache.directory.api.CODEC_LOG=DEBUG
>
>
>
> So I ended up with changing "log4j.rootCategory=DEBUG". Unfortunately
> this puts a lot of noise in the apacheds.log file. In this case, what
> is the log entry that records the LDAP connection look like and what
> does it say when it’s anonymous vs. authenticated?
>
>
>
> Thanks.
>
>
>
>
--
Kiran Ayyagari
http://keydap.com
This email and any files transmitted with it are confidential, proprietary and intended solely for the individual or entity to whom they are addressed. If you have received this email in error please delete it immediately.
Re: Auditing if anonymous LDAP connections are being made
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 13/06/2014 17:34, Tou-Soua Heu a écrit :
> I will raise a request.
>
> The business case is for secure environments, like at a Financial institution (eg. Bank Of America) or Government agency (e.g. Department of Defense), all LDAP connections must be authenticated (meaning no anonymous connection allowed). Currently we have no method to prove that ApacheDS meets this requirement: the fact we unchecked the "Allow Anonymous Access" in the configuration setting isn't sufficient to prove compliancy. We need to demonstrate this is actually happening and one way is via either a server status about the identity of current connections or logging of identity connections.
The log should tell you when someone attempt to authenticate using
anonymous bind. Anonymous athent are handled by the
AnonymousAuthenticator class, which produces a message when such an
attempt is not allowed :
LOG.info( "Cannot authenticate as anonymous, the server does
not allow it" );
Adding some info log on :
log4j.logger.org.apache.directory.server.core.authn=INFO
should be enough to get such traces.
FTR, I just added some more log for "positive" anonymous bind (ie, when
it's enabled, and some anonymous bind is done, you'll have the same log).
Does it fits your need ? Can you tell me if you get the logs I described
on yoru server after having changed the log config ?
Thanks !
RE: Auditing if anonymous LDAP connections are being made
Posted by Tou-Soua Heu <to...@fico.com>.
I will raise a request.
The business case is for secure environments, like at a Financial institution (eg. Bank Of America) or Government agency (e.g. Department of Defense), all LDAP connections must be authenticated (meaning no anonymous connection allowed). Currently we have no method to prove that ApacheDS meets this requirement: the fact we unchecked the "Allow Anonymous Access" in the configuration setting isn't sufficient to prove compliancy. We need to demonstrate this is actually happening and one way is via either a server status about the identity of current connections or logging of identity connections.
Thanks.
-----Original Message-----
From: Kiran Ayyagari [mailto:kayyagari@apache.org]
Sent: Friday, June 13, 2014 1:11 AM
To: users@directory.apache.org
Subject: Re: Auditing if anonymous LDAP connections are being made
On Fri, Jun 13, 2014 at 12:17 AM, Tou-Soua Heu <to...@fico.com> wrote:
> How can you check if there are anonymous LDAP connections to ApacheDS 2.0?
>
> there is no way right now (other than looking at the debug logs, which
> is
painful)
if you can raise a feature request with enough details about the usecase we might consider to implement it.
thank you
>
>
> According to the user manual (section 5.3.1 Logs overview, see
> https://directory.apache.org/apacheds/advanced-ug/5.3-logs.html ) this
> should work but it seems to log anything:
>
>
>
> # Logs all executed operations (search, add, delete, etc.)
>
> log4j.logger.org.apache.directory.server.OPERATION_LOG=DEBUG
>
> # Logs all incoming and outgoing LDAP Protocol requests/responses
>
> log4j.logger.org.apache.directory.api.CODEC_LOG=DEBUG
>
>
>
> So I ended up with changing "log4j.rootCategory=DEBUG". Unfortunately
> this puts a lot of noise in the apacheds.log file. In this case, what
> is the log entry that records the LDAP connection look like and what
> does it say when it’s anonymous vs. authenticated?
>
>
>
> Thanks.
>
>
>
>
--
Kiran Ayyagari
http://keydap.com
This email and any files transmitted with it are confidential, proprietary and intended solely for the individual or entity to whom they are addressed. If you have received this email in error please delete it immediately.
Re: Auditing if anonymous LDAP connections are being made
Posted by Kiran Ayyagari <ka...@apache.org>.
On Fri, Jun 13, 2014 at 12:17 AM, Tou-Soua Heu <to...@fico.com> wrote:
> How can you check if there are anonymous LDAP connections to ApacheDS 2.0?
>
> there is no way right now (other than looking at the debug logs, which is
painful)
if you can raise a feature request with enough details about the usecase we
might
consider to implement it.
thank you
>
>
> According to the user manual (section 5.3.1 Logs overview, see
> https://directory.apache.org/apacheds/advanced-ug/5.3-logs.html ) this
> should work but it seems to log anything:
>
>
>
> # Logs all executed operations (search, add, delete, etc.)
>
> log4j.logger.org.apache.directory.server.OPERATION_LOG=DEBUG
>
> # Logs all incoming and outgoing LDAP Protocol requests/responses
>
> log4j.logger.org.apache.directory.api.CODEC_LOG=DEBUG
>
>
>
> So I ended up with changing "log4j.rootCategory=DEBUG". Unfortunately this
> puts a lot of noise in the apacheds.log file. In this case, what is the log
> entry that records the LDAP connection look like and what does it say when
> it’s anonymous vs. authenticated?
>
>
>
> Thanks.
>
>
>
>
--
Kiran Ayyagari
http://keydap.com