Logging authentication failure on OpenLDAP

authenticationopenldap

I need to log authentication failure on OpenLDAP. What is the proper log level bit for that? Or is there another configuration for such a thing?

Best Answer

Authentication failure is logged with err=49 - Invalid Credential at default loglevel 256 - (0x100 stats) stats log connections/operations/results:

$ grep 'err=49' -B1 /path/to/ldap.log
slapd[28269]: conn=83767 op=2 BIND dn="cn=x,ou=y,dc=z,dc=t" method=128
slapd[28269]: conn=83767 op=2 RESULT tag=97 err=49 text=

Related Solutions

SSH Authentication – How to Make SSH Fail Rather Than Prompt for Password

For OpenSSH there is BatchMode, which in addition to disabling password prompting, should disable querying for passphrase(s) for keys.

BatchMode

If set to “yes”, passphrase/password querying will be disabled. This option is useful in scripts and other batch jobs where no user is present to supply the password. The argument must be “yes” or “no”. The default is “no”.

Sample usage:

ssh -oBatchMode=yes -l <user> <host> <dostuff>

Credentials caching in OpenLDAP proxy

I guess you already know about OpenLDAP Proxy Cache Engine since you are creating such server. Anyway, I would do this with the proxy cache engine; just set the cache TTL high enough so it can wait backend server reboots and other minor offline cases.

If you have multiple LDAP servers, you can also configure them in multi-master mode and put a load-balancer in front of them. That way you don't have to worry about a single LDAP server going down, everything continues to work smoothly automatically.

Best Answer

Related Solutions

SSH Authentication – How to Make SSH Fail Rather Than Prompt for Password

Credentials caching in OpenLDAP proxy

Related Topic