Log files shouldn't be the only test, we still test against the server to verify.
I would have to second the request assuming there is no auditing currently in place, I haven't needed it yet ! It wouldn't be allowed in our PCI environments without sufficient audit records. This seems trivial to implement. Another logger / file just for AUDIT. ----- Original Message ----- From: "Tou-Soua Heu" <[email protected]> To: [email protected] Sent: Friday, June 13, 2014 8:34:18 AM Subject: RE: Auditing if anonymous LDAP connections are being made I will raise a request. The business case is for secure environments, like at a Financial institution (eg. Bank Of America) or Government agency (e.g. Department of Defense), all LDAP connections must be authenticated (meaning no anonymous connection allowed). Currently we have no method to prove that ApacheDS meets this requirement: the fact we unchecked the "Allow Anonymous Access" in the configuration setting isn't sufficient to prove compliancy. We need to demonstrate this is actually happening and one way is via either a server status about the identity of current connections or logging of identity connections. Thanks. -----Original Message----- From: Kiran Ayyagari [mailto:[email protected]] Sent: Friday, June 13, 2014 1:11 AM To: [email protected] Subject: Re: Auditing if anonymous LDAP connections are being made On Fri, Jun 13, 2014 at 12:17 AM, Tou-Soua Heu <[email protected]> wrote: > How can you check if there are anonymous LDAP connections to ApacheDS 2.0? > > there is no way right now (other than looking at the debug logs, which > is painful) if you can raise a feature request with enough details about the usecase we might consider to implement it. thank you > > > According to the user manual (section 5.3.1 Logs overview, see > https://directory.apache.org/apacheds/advanced-ug/5.3-logs.html ) this > should work but it seems to log anything: > > > > # Logs all executed operations (search, add, delete, etc.) > > log4j.logger.org.apache.directory.server.OPERATION_LOG=DEBUG > > # Logs all incoming and outgoing LDAP Protocol requests/responses > > log4j.logger.org.apache.directory.api.CODEC_LOG=DEBUG > > > > So I ended up with changing "log4j.rootCategory=DEBUG". Unfortunately > this puts a lot of noise in the apacheds.log file. In this case, what > is the log entry that records the LDAP connection look like and what > does it say when it’s anonymous vs. authenticated? > > > > Thanks. > > > > -- Kiran Ayyagari http://keydap.com This email and any files transmitted with it are confidential, proprietary and intended solely for the individual or entity to whom they are addressed. If you have received this email in error please delete it immediately.
