Tracking down LDAP Clients that are using unknown LDAP attributes
Article ID: 403493
Updated On:
Products
Issue/Introduction
Customer's warning log is flooded with all types of LDAP Unknown attribute types. For example:
[80] 20250612.074520.330 WARN : LDAP: Unknown attribute type: idfAttr04
[80] 20250612.074520.330 WARN : LDAP: Unknown attribute type: idfAttr05
[80] 20250612.074520.331 WARN : LDAP: Unknown attribute type: idfAttr06
[80] 20250612.074520.331 WARN : LDAP: Unknown attribute type: idfAttr07
[80] 20250612.074520.331 WARN : LDAP: Unknown attribute type: idfAttr08
[80] 20250612.074520.331 WARN : LDAP: Unknown attribute type: idfAttr09
[80] 20250612.074520.331 WARN : LDAP: Unknown attribute type: idfAttr10
[80] 20250612.074520.331 WARN : LDAP: Unknown attribute type: IdfDummy
Customer was able to confirm that the particular DSA actually does not this attribute defined in its schema definition files. Customer wants to be able to track the particular LDAP client machine so that the changes can be made to to client machine so that it does not continue to send the invalid LDAP requests to the LDAP Services offerred by the CA Directory.
Environment
Release: 14.1
Component: CA Directory
Resolution
At the first look, you may think enabling the query log temporarily or otherwise using the following log setting:
set query-log = "logs/$s_query.log";
set query-log-show-eis = true;
set query-log-advanced = all;
With this setting, we will be able to see log entries in the query log similar to:
[68] 20250612.224029.578 0.1 BIND 888.888.888.888 (none) source="client"
[68] 20250612.224029.578 0.1 RESULT success
[70] 20250612.224029.579 0.2 SEARCH dn="o=democorp,c=au" scope=subtree filter=(sn=link) eis=mail source="client"
[67] 20250612.224029.580 0.2 RESULT success 1 entries 1 msecs
[69] 20250612.224029.581 0.3 UNBIND source="client"
[69] 20250612.224029.581 0.3 RESULT success
In the above example, we can see that the client mache 888.888.888.888 successfully binded and issued query to search using filter of "(sn=link)" and looking for attribute mail throug eis=mail. However, the query log never even showed attrempt for those unknown attributes in the query log. This is because the current CA Directory implementation simply rejects the unknown attributes, shows them on the warn log, but not on the query log.
As a result, to locate the IP of the client machine, you can use the the timestamp, for example the 20250612.074520 of the warn log entry
[80] 20250612.074520.331 WARN : LDAP: Unknown attribute type: idfAttr06
to search the query log and to locate the client IP from the preceeding BIND log entry.
Feedback
