Given the following standard workflow:
- A user supplies a username and password to an application (ie, webmail).
- The application authenticates the user against LDAP or AD.
- LDAP or AD log the authentication attempt, including the source of the request, which appears as the application IP.
Is it possible to include the IP of the user in an LDAP or AD request, in such a fashion it ends up in the LDAP or AD authentication log entries? Either: appending the information, or, replacing the application IP?
I'm fairly certain that this can't be done with AD as requested. However, nothing is preventing the application itself from logging the user's IP in either a text log or its own Windows application event log (assuming you have some level of code control over the application), and then this could be correlated with the AD logs, assuming your servers' timekeeping is in sync.
For generic/undefined LDAP, this is a more difficult question to concretely answer, but I think it's similar to the AD answer. Of course, if you have access to the code for the application and the LDAP server, you can pass and log whatever info you want to.
If you don't have access to the code of the application, and it doesn't have an option for logging the info now, there's nothing you can do to make it. Of course, if you control the firewall(s) or router(s), you could also be logging this info, as long as the username is passed as plaintext for the network to see.