Finding BIND failures in OpenLDAP logfiles

When OpenLDAP is configured to log connection information, a RESULT entry is written with the status (e.g., success or failure) of the last BIND:

$ grep RESULT openldap.log | head -1
Dec 28 21:05:01 winnie slapd[7101]: [ID 217296 local4.debug] conn=25 op=0 RESULT tag=97 err=0 text=

The “err=” string contains zero if the BIND was successful, and an error code if the BIND didn’t complete successfully. The error codes are defined in “LDAPResult.h,” which is included with the OpenLDAP source code. When a BIND fails because the credentials were invalid, the error string will contain the value 49:

$ grep “err=49” openldap.log | head -1

Dec 29 12:22:00 winnie slapd[7101]: [ID 217296 local4.debug] conn=27 op=0 RESULT tag=97 err=49 text=

To get the DN that tried to BIND, you can grep the connection number (the value after conn=) out of the OpenLDAP logfile:

$ grep “conn=27.*BIND” openldap.log
Dec 29 12:22:00 winnie slapd[7101]: [ID 347666 local4.debug] conn=27 op=0 BIND dn=”cn=mail,dc=synackfin,dc=com” method=128

You can get the IP address of the host that initiated the BIND by grepping the connection id, along with the ACCEPT keyword, from the OpenLDAP logfile:

$ grep “conn=27.*ACCEPT” openldap.log
Dec 29 12:22:00 winnie slapd[7101]: [ID 848112 local4.debug] conn=27 fd=11 ACCEPT from IP=192.168.1.2:39749 (IP=192.168.1.2:636)

This is useful for tracking down folks who are poking around your directory server.

3 thoughts on “Finding BIND failures in OpenLDAP logfiles”

Leave a Reply

Your email address will not be published. Required fields are marked *