I have an openldap server (with user passwords) open worldwide which I'm trying to secure.
Step 1 was to limit access to data to authenticated users via ACLs.
Step 2, to prevent brute force attacks, was to implement ppolicy. Seems to be working fine, cool.
Step 3 is going to be "handle the user who's been locked out and swears it's not his fault" by spotting dn lockouts as early as possible with their possible causes.
I've started writing scripts which check pwdAccountLockedTime attribute presence, warn via email, ring bells etc. That's fine but I'm finding hard to link that to data in the logs saying when the incriminated logins occurred, where they were done from etc. All the data is there but bringing it all together is a real pain. I feel sure I'm not the only one confronted with this problem (or am I trying to solve the wrong problem ?) and that solutions exist, I just haven't been able to find them. Am I wrong ?
Forgot to say, fail2ban is not really suited. There are many clients, of whom I do not necessarily know the addresses, who are likely to do legitimate massive requests on the directory and would not pass fail2ban. Sounds strange, I know, but our configuration here is complicated and we have to make do with it. That's why I'm looking at ppolicy.
To put it short, I'd like to have a way to monitor the occurrence of pwdAccountLockedTime and, when that happens, immediately have the info of which user is concerned, the pwdFailureTime values, what requests were done at that time and from which IP address(s) in a single, easy to read, log file. That would be great, surely it exists ?
I would question step 3. Trawling through logs to find possibly affected users doesn't address the actual problem, which is that they can't log in.
All you need is an administrative action to reset the account with a temporary new password that you tell him when he complains (after authenticating him by some other means), and that he must change when next he logs in, all of which can be accomplished via policy.