One such feature enhancement introduced connection details to each of the OUD log publishers. When enabled, this enhancement tags each operation in the log file with the following additional details:
- Authentication Distinguished Name: bindDN=<user_dn>
- Protocol: protocol=<LDAP | LDAPS | HTTP>
- Client: client=<source_ip>:<source_port>
- Server: server=<destination_ip>:<destination_port>
- Cryptographic Protocol: protocol=<TLSv1.3 | TLSv1.2 | TLSv1.1 | ...>
- Cryptographic Cipher Suite: cipherSuite=<TLS_AES_128_GCM_SHA256 | ...>
These additional details can enable logging analytics tools like Oracle Cloud Infrastructure Logging Analytics to provide deep insights into the use and security posture of the OUD service to help you to strengthen security posture, identify out-of-date clients, identify root cause of cryptographic communication breakdowns, and even identify potential threat actors.
Here are some of the questions that each of these additional details can enable you to answer:
- Authentication Distinguished Name
- What operations did James perform on the directory server over the past 48 hours?
- What users added new entries over the past 90 days?
- Are any clients connecting anonymously to OUD?
- What clients or users are connecting to OUD via non-encrypted LDAP?
- What clients are connecting via REST/SCIM?
- What is the volume of load per client IP address?
- From what client IP addresses were write operations performed?
- From what client IP addresses where anonymous authentications performed?
- Is the distribution of load even across servers in the load balanced pool?
- What OUD instances receive write operations?
- Which OUD instances are processing un-indexed searches or other abusive loads?
- Which OUD instances are receiving non-encrypted LDAP connections?
- Cryptographic Protocol
- Which users are requesting weak cryptographic protocols like SSLv3?
- What is the distribution of cryptographic protocols handled by the OUD service?
- Based on client load, are we to disable weak cryptographic protocols?
- Which clients need to be patched or updated to use strong cryptography?
- Which clients need their trust store updated with the latest certificate authority certificate chain or perhaps need the updated self-signed certificates?
- Cryptographic Cipher Suite
- Which users are using anonymous or weak cipher suites when connecting to OUD?
- What is the distribution of cipher suites being used by clients?
- Based on client load, are we to disable weak cryptographic cipher suites?
Enabling these additional connection details is very straight forward and can be enabled via the dsconfig command line (interactively, non-interactively, and in batch) tool or the web-based administrative console (Oracle Unified Directory Services Manager).
Here is a sample non-interactive dsconfig command that for enabling connection details to the File-based Access logger:
Here is the equivalent batch configuration entry:
Here is a an access log excerpt with connection details disabled:
Here is a an access log excerpt with connection details enabled:
I hope you find this helpful.