directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark D <temp1...@debusschere.com>
Subject Re: Auditing if anonymous LDAP connections are being made
Date Fri, 13 Jun 2014 15:43:21 GMT
Log files shouldn't be the only test, we still test against the server to verify.

I would have to second the request assuming there is no auditing currently in place, I haven't
needed it yet !
It wouldn't be allowed in our PCI environments without sufficient audit records.

This seems trivial to implement.  Another logger / file just for AUDIT.

----- Original Message -----
From: "Tou-Soua Heu" <tousouaheu@fico.com>
To: users@directory.apache.org
Sent: Friday, June 13, 2014 8:34:18 AM
Subject: RE: Auditing if anonymous LDAP connections are being made

I will raise a request.

The business case is for secure environments, like at a Financial institution (eg. Bank Of
America) or Government agency (e.g. Department of Defense), all LDAP connections must be authenticated
(meaning no anonymous connection allowed). Currently we have no method to prove that ApacheDS
meets this requirement: the fact we unchecked the "Allow Anonymous Access" in the configuration
setting isn't sufficient to prove compliancy. We need to demonstrate this is actually happening
and one way is via either a server status about the identity of current connections or logging
of identity connections.

Thanks.

-----Original Message-----
From: Kiran Ayyagari [mailto:kayyagari@apache.org] 
Sent: Friday, June 13, 2014 1:11 AM
To: users@directory.apache.org
Subject: Re: Auditing if anonymous LDAP connections are being made

On Fri, Jun 13, 2014 at 12:17 AM, Tou-Soua Heu <tousouaheu@fico.com> wrote:

> How can you check if there are anonymous LDAP connections to ApacheDS 2.0?
>
> there is no way right now (other than looking at the debug logs, which 
> is
painful)
if you can raise a feature request with enough details about the usecase we might consider
to implement it.

thank you

>
>
> According to the user manual (section 5.3.1 Logs overview, see 
> https://directory.apache.org/apacheds/advanced-ug/5.3-logs.html ) this 
> should work but it seems to log anything:
>
>
>
> # Logs all executed operations (search, add, delete, etc.)
>
> log4j.logger.org.apache.directory.server.OPERATION_LOG=DEBUG
>
> # Logs all incoming and outgoing LDAP Protocol requests/responses
>
> log4j.logger.org.apache.directory.api.CODEC_LOG=DEBUG
>
>
>
> So I ended up with changing "log4j.rootCategory=DEBUG". Unfortunately 
> this puts a lot of noise in the apacheds.log file. In this case, what 
> is the log entry that records the LDAP connection look like and what 
> does it say when it’s anonymous vs. authenticated?
>
>
>
> Thanks.
>
>
>
>


--
Kiran Ayyagari
http://keydap.com

This email and any files transmitted with it are confidential, proprietary and intended solely
for the individual or entity to whom they are addressed. If you have received this email in
error please delete it immediately.

Mime
View raw message