I want to figure out how many authentication failed or success by processing OpenLDAP(2.4.42)'s log file.
Following is the sample of my OpenLDAP's log.
slapd[5516]: conn=2803 op=3 SRCH base="ou=groups,dc=myOrg,dc=com" scope=2 deref=0 filter="(&(objectClass=posixGroup)(cn=*)
slapd[5516]: conn=2803 op=3 SRCH attr=objectClass cn userPassword gidNumber memberuid modifyTimestamp modifyTimestamp
slapd[5516]: <= bdb_inequality_candidates: (modifyTimestamp) not indexed
slapd[5516]: conn=2803 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[5516]: conn=2803 op=4 SRCH base="dc=myOrg,dc=com" scope=2 deref=0 filter="(&(objectClass=ipService)(cn=*)(ipServicePort=*)(ipServiceProtocol=*))"
slapd[5516]: conn=2803 op=4 SRCH attr=objectClass cn ipServicePort ipServiceProtocol modifyTimestamp
slapd[5516]: conn=2803 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[5516]: conn=2797 fd=37 closed (connection lost)
slapd[5516]: conn=2795 op=23 UNBIND
slapd[5516]: conn=2795 fd=36 closed
slapd[5516]: conn=2804 fd=36 ACCEPT from IP=10.1.1.205:49974 (IP=0.0.0.0:636)
slapd[5516]: conn=2804 fd=36 TLS established tls_ssf=128 ssf=128
slapd[5516]: conn=2804 op=0 BIND dn="" method=128
slapd[5516]: conn=2804 op=0 RESULT tag=97 err=0 text=
slapd[5516]: conn=2804 op=1 SRCH base="ou=people,dc=myOrg,dc=com" scope=2 deref=3 filter="(&(objectClass=*)(uid=xyzUser))"
slapd[5516]: conn=2804 op=1 SRCH attr=uid
slapd[5516]: conn=2804 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[5516]: conn=2804 op=2 BIND dn="uid=xyzUser,ou=people,dc=myOrg,dc=com" method=128
slapd[5516]: conn=2804 op=2 BIND dn="uid=xyzUser,ou=people,dc=myOrg,dc=com" mech=SIMPLE ssf=0
slapd[5516]: conn=2804 op=2 RESULT tag=97 err=0 text=
slapd[5516]: conn=2804 op=3 BIND anonymous mech=implicit ssf=0
slapd[5516]: conn=2804 op=3 BIND dn="" method=128
slapd[5516]: conn=2804 op=3 RESULT tag=97 err=0 text=
slapd[5516]: conn=2804 op=4 SRCH base="ou=people,dc=myOrg,dc=com" scope=2 deref=3 filter="(&(&(&(&(objectClass=myOrgEmployee)(status=TRUE))(webmailAllowed=TRUE))(passwordExpired=FALSE))(uid=xyzUser))"
slapd[5516]: conn=2804 op=4 SRCH attr=uid
slapd[5516]: <= bdb_equality_candidates: (passwordExpired) not indexed
slapd[5516]: conn=2804 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
What I want to know that value of conn attribute in log is always going to be unique or not? Because my algorithm is like
- Search for keyword
SEARCH RESULT - Get value of attribute
connandop - Find for
SRCH basesame value ofconnandop
Usually it's the BIND request that get's used during authentication.
Otherwise your authentication system uses another user (Directory Manager perhaps?) or anonymous requests to match the username / password against the directory server.
Indeed you're actually authenticating using BIND:
Connection / LDAPS estabilishment:
Bind using the provided credentials:
Result is successful (err=0):
So, the way how i would implement the search is:
But very probably you'll have easier ways that openldap logs to do what you need, if you're using a prebuilt IAM like Siteminder / Oracle (ex SUN) Identity Management you'll find it's easier to get login info from there. If not you can check your application logs.
Hope this helps.