OUD Feature Highlight: Connection Details

Beginning with Oracle Unified Directory (OUD) 12c Patch Set 4, Oracle began adding new features and functionality along with bug fixes with each bundle patch release.  The What's New section of the documentation covers new features as they are added with each bundle patch release.

One such feature enhancement introduced connection details to each of the OUD log publishers.  When enabled, this enhancement tags each operation in the log file with the following additional details:

• Authentication Distinguished Name:  bindDN=<user_dn>
• Protocol: protocol=<LDAP | LDAPS | HTTP>
• Client: client=<source_ip>:<source_port>
• Server: server=<destination_ip>:<destination_port>
• Cryptographic Protocol: protocol=<TLSv1.3 | TLSv1.2 | TLSv1.1 | ...>
• Cryptographic Cipher Suite: cipherSuite=<TLS_AES_128_GCM_SHA256 | ...>

These additional details can enable logging analytics tools like Oracle Cloud Infrastructure Logging Analytics to provide deep insights into the use and security posture of the OUD service to help you to strengthen security posture, identify out-of-date clients, identify root cause of cryptographic communication breakdowns, and even identify potential threat actors.  

Here are some of the questions that each of these additional details can enable you to answer:

• Authentication Distinguished Name
• What operations did James perform on the directory server over the past 48 hours?
• What users added new entries over the past 90 days?
• Are any clients connecting anonymously to OUD?

• Protocol
• What clients or users are connecting to OUD via non-encrypted LDAP?
• What clients are connecting via REST/SCIM?

• Client
• What is the volume of load per client IP address?
• From what client IP addresses were write operations performed?
• From what client IP addresses where anonymous authentications performed?

• Server
• Is the distribution of load even across servers in the load balanced pool?
• What OUD instances receive write operations?
• Which OUD instances are processing un-indexed searches or other abusive loads?
• Which OUD instances are receiving non-encrypted LDAP connections?

• Cryptographic Protocol
• Which users are requesting weak cryptographic protocols like SSLv3?
• What is the distribution of cryptographic protocols handled by the OUD service?
• Based on client load, are we to disable weak cryptographic protocols?
• Which clients need to be patched or updated to use strong cryptography?
• Which clients need their trust store updated with the latest certificate authority certificate chain or perhaps need the updated self-signed certificates?

• Cryptographic Cipher Suite
• Which users are using anonymous or weak cipher suites when connecting to OUD?
• What is the distribution of cipher suites being used by clients?
• Based on client load, are we to disable weak cryptographic cipher suites?

Enabling these additional connection details is very straight forward and can be enabled via the dsconfig command line (interactively, non-interactively, and in batch) tool or the web-based administrative console (Oracle Unified Directory Services Manager).  

Here is a sample non-interactive dsconfig command that for enabling connection details to the File-based Access logger:

dsconfig set-log-publisher-prop --publisher-name 'File-Based Access Logger --set log-connection-details:true --hostname $(hostname -f) --port 1444 --bindDN 'cn=Directory Manager' --bindPasswordFile /opt/ods/poc/cfg/...pw --trustAll --no-prompt

Here is the equivalent batch configuration entry: 

set-log-publisher-prop --publisher-name 'File-Based Access Logger --set log-connection-details:true 

Here is a an access log excerpt with connection details disabled:

[16/Oct/2023:15:48:10 +0000] CONNECT conn=42 from=10.20.0.104:59560 to=10.20.0.104:1636 protocol=LDAPS
[16/Oct/2023:15:48:10 +0000] BIND REQ conn=42 op=0 msgID=1 type=SIMPLE dn="uid=admin1,ou=Admins,dc=example,dc=com" version=3
[16/Oct/2023:15:48:10 +0000] BIND RES conn=42 op=0 msgID=1 result=0 authDN="uid=admin1,ou=Admins,dc=example,dc=com" etime=1
[16/Oct/2023:15:48:10 +0000] SEARCH REQ conn=42 op=1 msgID=2 base="dc=example,dc=com" scope=sub filter="(uid=user100001)" attrs="dn"
[16/Oct/2023:15:48:10 +0000] SEARCH RES conn=42 op=1 msgID=2 result=0 nentries=1 etime=14
[16/Oct/2023:15:48:10 +0000] UNBIND REQ conn=42 op=2 msgID=3
[16/Oct/2023:15:48:10 +0000] DISCONNECT conn=42 reason="Client Disconnect"

Here is a an access log excerpt with connection details enabled:

[16/Oct/2023:15:49:41 +0000] CONNECT conn=45 from=10.20.0.104:58190 to=10.20.0.104:1636 protocol=LDAPS
[16/Oct/2023:15:49:41 +0000] CONNECT CONN_DETAILS conn=45 tlsVersion=TLSv1.3 cipherSuite=TLS_AES_128_GCM_SHA256
[16/Oct/2023:15:49:41 +0000] BIND REQ conn=45 op=0 msgID=1 client=10.20.0.104:58190 server=10.20.0.104:1636 protocol=LDAPS type=SIMPLE dn="uid=admin1,ou=Admins,dc=example,dc=com" version=3
[16/Oct/2023:15:49:41 +0000] BIND RES conn=45 op=0 msgID=1 client=10.20.0.104:58190 server=10.20.0.104:1636 protocol=LDAPS bindDN=uid=admin1,ou=Admins,dc=example,dc=com result=0 authDN="uid=admin1,ou=Admins,dc=example,dc=com" etime=0
[16/Oct/2023:15:49:41 +0000] SEARCH REQ conn=45 op=1 msgID=2 client=10.20.0.104:58190 server=10.20.0.104:1636 protocol=LDAPS bindDN=uid=admin1,ou=Admins,dc=example,dc=com base="dc=example,dc=com" scope=sub filter="(uid=user100001)" attrs="dn"
[16/Oct/2023:15:49:41 +0000] SEARCH RES conn=45 op=1 msgID=2 client=10.20.0.104:58190 server=10.20.0.104:1636 protocol=LDAPS bindDN=uid=admin1,ou=Admins,dc=example,dc=com result=0
nentries=1 etime=1
[16/Oct/2023:15:49:41 +0000] UNBIND REQ conn=45 op=2 msgID=3 client=10.20.0.104:58190 server=10.20.0.104:1636 protocol=LDAPS bindDN=uid=admin1,ou=Admins,dc=example,dc=com
[16/Oct/2023:15:49:41 +0000] DISCONNECT conn=45 reason="Client Disconnect"

I hope you find this helpful.

Blessings!

Brad