- Authentication Distinguished Name: bindDN=<user_dn>
- Protocol: protocol=<LDAP | LDAPS | HTTP>
- Client: client=<source_ip>:<source_port>
- Server: server=<destination_ip>:<destination_port>
- Cryptographic Protocol: protocol=<TLSv1.3 | TLSv1.2 | TLSv1.1 | ...>
- Cryptographic Cipher Suite: cipherSuite=<TLS_AES_128_GCM_SHA256 | ...>
- Authentication Distinguished Name
- What operations did James perform on the directory server over the past 48 hours?
- What users added new entries over the past 90 days?
- Are any clients connecting anonymously to OUD?
- Protocol
- What clients or users are connecting to OUD via non-encrypted LDAP?
- What clients are connecting via REST/SCIM?
- Client
- What is the volume of load per client IP address?
- From what client IP addresses were write operations performed?
- From what client IP addresses where anonymous authentications performed?
- Server
- Is the distribution of load even across servers in the load balanced pool?
- What OUD instances receive write operations?
- Which OUD instances are processing un-indexed searches or other abusive loads?
- Which OUD instances are receiving non-encrypted LDAP connections?
- Cryptographic Protocol
- Which users are requesting weak cryptographic protocols like SSLv3?
- What is the distribution of cryptographic protocols handled by the OUD service?
- Based on client load, are we to disable weak cryptographic protocols?
- Which clients need to be patched or updated to use strong cryptography?
- Which clients need their trust store updated with the latest certificate authority certificate chain or perhaps need the updated self-signed certificates?
- Cryptographic Cipher Suite
- Which users are using anonymous or weak cipher suites when connecting to OUD?
- What is the distribution of cipher suites being used by clients?
- Based on client load, are we to disable weak cryptographic cipher suites?
dsconfig set-log-publisher-prop --publisher-name 'File-Based Access Logger --set log-connection-details:true --hostname $(hostname -f) --port 1444 --bindDN 'cn=Directory Manager' --bindPasswordFile /opt/ods/poc/cfg/...pw --trustAll --no-prompt
set-log-publisher-prop --publisher-name 'File-Based Access Logger --set log-connection-details:true
[16/Oct/2023:15:48:10 +0000] CONNECT conn=42 from=10.20.0.104:59560 to=10.20.0.104:1636 protocol=LDAPS
[16/Oct/2023:15:48:10 +0000] BIND REQ conn=42 op=0 msgID=1 type=SIMPLE dn="uid=admin1,ou=Admins,dc=example,dc=com" version=3
[16/Oct/2023:15:48:10 +0000] BIND RES conn=42 op=0 msgID=1 result=0 authDN="uid=admin1,ou=Admins,dc=example,dc=com" etime=1
[16/Oct/2023:15:48:10 +0000] SEARCH REQ conn=42 op=1 msgID=2 base="dc=example,dc=com" scope=sub filter="(uid=user100001)" attrs="dn"
[16/Oct/2023:15:48:10 +0000] SEARCH RES conn=42 op=1 msgID=2 result=0 nentries=1 etime=14
[16/Oct/2023:15:48:10 +0000] UNBIND REQ conn=42 op=2 msgID=3
[16/Oct/2023:15:48:10 +0000] DISCONNECT conn=42 reason="Client Disconnect"
[16/Oct/2023:15:49:41 +0000] CONNECT conn=45 from=10.20.0.104:58190 to=10.20.0.104:1636 protocol=LDAPS
[16/Oct/2023:15:49:41 +0000] CONNECT CONN_DETAILS conn=45 tlsVersion=TLSv1.3 cipherSuite=TLS_AES_128_GCM_SHA256
[16/Oct/2023:15:49:41 +0000] BIND REQ conn=45 op=0 msgID=1 client=10.20.0.104:58190 server=10.20.0.104:1636 protocol=LDAPS type=SIMPLE dn="uid=admin1,ou=Admins,dc=example,dc=com" version=3
[16/Oct/2023:15:49:41 +0000] BIND RES conn=45 op=0 msgID=1 client=10.20.0.104:58190 server=10.20.0.104:1636 protocol=LDAPS bindDN=uid=admin1,ou=Admins,dc=example,dc=com result=0 authDN="uid=admin1,ou=Admins,dc=example,dc=com" etime=0
[16/Oct/2023:15:49:41 +0000] SEARCH REQ conn=45 op=1 msgID=2 client=10.20.0.104:58190 server=10.20.0.104:1636 protocol=LDAPS bindDN=uid=admin1,ou=Admins,dc=example,dc=com base="dc=example,dc=com" scope=sub filter="(uid=user100001)" attrs="dn"
[16/Oct/2023:15:49:41 +0000] SEARCH RES conn=45 op=1 msgID=2 client=10.20.0.104:58190 server=10.20.0.104:1636 protocol=LDAPS bindDN=uid=admin1,ou=Admins,dc=example,dc=com result=0
nentries=1 etime=1
[16/Oct/2023:15:49:41 +0000] UNBIND REQ conn=45 op=2 msgID=3 client=10.20.0.104:58190 server=10.20.0.104:1636 protocol=LDAPS bindDN=uid=admin1,ou=Admins,dc=example,dc=com
[16/Oct/2023:15:49:41 +0000] DISCONNECT conn=45 reason="Client Disconnect"
No comments:
Post a Comment