I am looking for a method to log ldap access of a Active Directory domain controller. I want to be able to log the username and source IP address access to both 389, and 636(encrypted).
A simple packet capture would get me the source IP, but getting the username will not be possible over ldaps so I am hoping there is some built-in auditing/debug/logging feature in Windows that will give me this information.
Best Answer
The windows Security event-log does track this, but it isn't easy to extract out of the firehose. The key markers of an LDAP login:
The details will be lurking in these XML elements:
If you're viewing things in the decoded text-view, the key markers are:
The details will be:
The key thing that differentiates these login events from regular login events is that the ldap binds are in effect logging in TO the domain-controller in question. That's why the "Workstation Name" field is filled in.
Phrasing the search to get these events will prove tricky.