Capture all external application password compares/validations
search cancel

Capture all external application password compares/validations

book

Article ID: 384839

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

In an environment where CA Directory was used for a long time, internal applications were set up to perform their own username/password validation for their applications.
How to capture all applications and processes that are performing this validation.
How to capture this in production without deep logging for extended periods of time.

Environment

14.1 SP4

Resolution

Setting tracing like:

set trace = connect, update, error;

will produce rather compact log still having probably maximum possible information for the task.

For example, updates of userPassword filed will look like (2 updates from two different applications):

20241209.000119.822 CONN #025 "cn=example-user,ou=example-unit,o=example1,c=US" 192.168.27.1:5178 PASS
20241209.000131.367 "cn=example-user,ou=example-unit,o=example1,c=US" MOD "cn=example-user4,ou=example-unit,o=example1,c=US" rem-attr:userPassword,add-attr:userPassword
20241209.000136.108 DISC #025 "cn=example-user,ou=example-unit,o=example1,c=US" 17 sec 1 kbytes 7 ops 0 cpu

20241209.000145.725 CONN #026 "cn=example-user,ou=example-unit,o=example1,c=US" 192.168.27.1:60201 PASS
20241209.000153.442 "cn=example-user,ou=example-unit,o=example1,c=US" MOD "cn=example-user4,ou=example-unit,o=example1,c=US" rem-attr:userPassword,add-attr:userPassword
20241209.000153.443 DISC #026 "cn=example-user,ou=example-unit,o=example1,c=US" 8 sec 0 kbytes 2 ops 8 cpu

Thus, the following can be obtained: the IP and port from where the user connected, the user name (DN), and if the update operation involving userPassword field (and any other). The application name will not be logged, but it can be found via a separate step.

In some cases things can be more complex. For example, when different applications use same user for authentication, or when anonimus login is used:

20241208.235752.480 CONN #023 (none) 192.168.27.1:5127 ANON
20241208.235837.621 (none) MOD "cn=example-user4,ou=example-unit,o=example1,c=US" rem-attr:userPassword,add-attr:userPassword
20241208.235912.257 DISC #023 (none) 80 sec 1 kbytes 8 ops 0 cpu

Later, the logs can be analyses using Python script or any other tool to filer out user names (DNs) which were involved in password modification operations and associated IPs/ports.

 

Tracing all password reads is still very expensive and there is no easy way to implement it in production. One of such ways is to establish an LDAP proxy (or router) and run all LDAP requests via this proxy while implementing logging on the machine there the proxy is installed.

Powered by Wolken Software