#4889 BINDs to nonexisting user logged to errors log
Closed: Fixed None Opened 9 years ago by mkosek.

FreeIPA server logs message to DS errors log (default logging level) whenever someone binds with wrong bindDN:

ldapsearch -h `hostname` -D "admin" -x -w Secret123 -b "" -s base

Log:

# tail /var/log/dirsrv/slapd-MKOSEK-RHEL71-TEST/errors

[06/Feb/2015:07:43:21 -0500] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "admin": 32
[06/Feb/2015:07:43:21 -0500] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "admin": 32

This is not really an error that should go into the default DS errors log, but rather expected state when binding with non-existing DN. It for example fills errors log in FreeIPA demo.


4.1.4 was released, moving to new milestone

This may be a useful error IMO - it provides a method to detect and deal with brute-force attacks if your directory is accessible to potentially malicious parties. In the real world (ie - not the demo), if you're getting enough of these to fill your logs, you likely have a problem somewhere (mis-configured client or similar).

pdf, yes, but this should go to access log as all other similar errors. Errors in this ticket are just some quicks in FreeIPA-specific DS plugins and should be fixed.

master:

  • 4192cce do not log BINDs to non-existent users as errors

ipa-4-1:

  • ede3298 do not log BINDs to non-existent users as errors

Metadata Update from @mkosek:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.1.5

7 years ago

Login to comment on this ticket.

Metadata