Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 801E311EFC for ; Fri, 13 Jun 2014 16:35:08 +0000 (UTC) Received: (qmail 27542 invoked by uid 500); 13 Jun 2014 16:35:08 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 27510 invoked by uid 500); 13 Jun 2014 16:35:08 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Delivered-To: moderator for users@directory.apache.org Received: (qmail 57816 invoked by uid 99); 13 Jun 2014 16:06:38 -0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Date: Fri, 13 Jun 2014 08:43:21 -0700 (PDT) From: Mark D To: users@directory.apache.org Message-ID: <2096388650.22199.1402674201873.JavaMail.zimbra@debusschere.com> In-Reply-To: References: Subject: Re: Auditing if anonymous LDAP connections are being made MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [209.116.67.246] X-Mailer: Zimbra 8.0.6_GA_5922 (ZimbraWebClient - GC32 (Win)/8.0.6_GA_5922) Thread-Topic: Auditing if anonymous LDAP connections are being made Thread-Index: Ac+Gbm0JawFWNCEpRwyh3pH0mSXLlQAmn82AAASvgPDmKEacyA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1402675569; bh=fW2lxmaP66CD+YT09KNcZU9dGmIGK2Q/DB0Uv99AYNY=; h=Received:Received:Received:Received:Date:From:To:Message-ID: Subject:MIME-Version:Content-Type; b=i3wl3utHFhGP9kb3IgnBbV/aSwkEKFBFIXFDY+kEMk2/DMBtd+lhasY8kEXWQ+vDV 4jLbAw5edPLBAk8O/bW8P6yWjHZTzCblwItMLM7iHg4eX2JeFhCxYfgybHSLyYbemJ K3vk8HbB6d5Bd4CyZCYJT+lh/cYKDWqhaXdw4y/FBSbQjtp3/iWNNWaSXc0NHyDPAH mNHo/O3hGcMgvJSKXsEVF0n3P1ti/byK87Pq6zNAPrjJZ/XfYATAHokHDOvJOxT1El CRlIEEcIyG9fQ+t8qXaLYPa3fFoblWmACyub8P6zI/sEzxdJrMjtE7J/HPWwzm25SP ZnSW7/Dm1pNIw== X-Virus-Checked: Checked by ClamAV on apache.org Log files shouldn't be the only test, we still test against the server to v= erify. I would have to second the request assuming there is no auditing currently = in place, I haven't needed it yet ! It wouldn't be allowed in our PCI environments without sufficient audit rec= ords. This seems trivial to implement. Another logger / file just for AUDIT. ----- Original Message ----- From: "Tou-Soua Heu" To: users@directory.apache.org Sent: Friday, June 13, 2014 8:34:18 AM Subject: RE: Auditing if anonymous LDAP connections are being made I will raise a request. The business case is for secure environments, like at a Financial instituti= on (eg. Bank Of America) or Government agency (e.g. Department of Defense),= all LDAP connections must be authenticated (meaning no anonymous connectio= n allowed). Currently we have no method to prove that ApacheDS meets this r= equirement: the fact we unchecked the "Allow Anonymous Access" in the confi= guration setting isn't sufficient to prove compliancy. We need to demonstra= te this is actually happening and one way is via either a server status abo= ut the identity of current connections or logging of identity connections. Thanks. -----Original Message----- From: Kiran Ayyagari [mailto:kayyagari@apache.org]=20 Sent: Friday, June 13, 2014 1:11 AM To: users@directory.apache.org Subject: Re: Auditing if anonymous LDAP connections are being made On Fri, Jun 13, 2014 at 12:17 AM, Tou-Soua Heu wrote: > How can you check if there are anonymous LDAP connections to ApacheDS 2.0= ? > > there is no way right now (other than looking at the debug logs, which=20 > is painful) if you can raise a feature request with enough details about the usecase we= might consider to implement it. thank you > > > According to the user manual (section 5.3.1 Logs overview, see=20 > https://directory.apache.org/apacheds/advanced-ug/5.3-logs.html ) this=20 > should work but it seems to log anything: > > > > # Logs all executed operations (search, add, delete, etc.) > > log4j.logger.org.apache.directory.server.OPERATION_LOG=3DDEBUG > > # Logs all incoming and outgoing LDAP Protocol requests/responses > > log4j.logger.org.apache.directory.api.CODEC_LOG=3DDEBUG > > > > So I ended up with changing "log4j.rootCategory=3DDEBUG". Unfortunately= =20 > this puts a lot of noise in the apacheds.log file. In this case, what=20 > is the log entry that records the LDAP connection look like and what=20 > does it say when it=E2=80=99s anonymous vs. authenticated? > > > > Thanks. > > > > -- Kiran Ayyagari http://keydap.com This email and any files transmitted with it are confidential, proprietary = and intended solely for the individual or entity to whom they are addressed= . If you have received this email in error please delete it immediately.