Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11325

Only the uid is written to audit logs when users authenticate with other attributes

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 13.5.0, 14.0.0
    • Fix Version/s: None
    • Component/s: audit logging
    • Labels:
    • Target Version/s:
    • Rank:
      1|hztozz:
    • Support Ticket IDs:

      Description

      1. Configure an LDAP module with "Attributes Used to Search for a User to be Authenticated" = mail.

      2. Enable audit logging.

      3. Login as "demo@email.com"

      A failed authentication is audited as:
      "userId":"","principal":["demo@email.com"]

      {"realm":"/","transactionId":"eb24e0de-4f84-4bc0-978c-e07b5bb72dba-9413","component":"Authentication","eventName":"AM-LOGIN-MODULE-COMPLETED","result":"FAILED","entries":[{"moduleId":"myldap","info":{"authIndex":"module_instance","authControlFlag":"REQUIRED","moduleClass":"LDAP","failureReason":"INVALID_PASSWORD","ipAddress":"192.168.56.1","authLevel":"0"}}],"userId":"","principal":["demo@email.com"],"timestamp":"2017-06-23T14:33:22.656Z","trackingIds":["9a274f6ff734fedf01"],"_id":"eb24e0de-4f84-4bc0-978c-e07b5bb72dba-9421"}
      {"realm":"/","transactionId":"eb24e0de-4f84-4bc0-978c-e07b5bb72dba-9413","component":"Authentication","eventName":"AM-LOGIN-COMPLETED","result":"FAILED","entries":[{"moduleId":"myldap","info":{"authIndex":"module_instance","failureReason":"INVALID_PASSWORD","ipAddress":"192.168.56.1","authLevel":"0"}}],"userId":"","principal":["demo@email.com"],"timestamp":"2017-06-23T14:33:22.660Z","trackingIds":["9a274f6ff734fedf01"],"_id":"eb24e0de-4f84-4bc0-978c-e07b5bb72dba-9427"}

      Whereas a successful authentication is audited with:
      "userId":"id=demo,ou=user,o=openam","principal":["uid=demo,ou=people,o=openam"]

      ==> authentication.audit.json <==
      {"realm":"/","transactionId":"eb24e0de-4f84-4bc0-978c-e07b5bb72dba-3526","component":"Authentication","eventName":"AM-LOGIN-MODULE-COMPLETED","result":"SUCCESSFUL","entries":[{"moduleId":"myldap","info":{"authIndex":"module_instance","authControlFlag":"REQUIRED","moduleClass":"LDAP","ipAddress":"192.168.56.1","authLevel":"0"}}],"userId":"id=demo,ou=user,o=openam","principal":["uid=demo,ou=people,o=openam"],"timestamp":"2017-06-23T14:03:27.153Z","trackingIds":["21fc8561b4314de301"],"_id":"eb24e0de-4f84-4bc0-978c-e07b5bb72dba-3532"}
      {"realm":"/","transactionId":"eb24e0de-4f84-4bc0-978c-e07b5bb72dba-3526","component":"Authentication","eventName":"AM-LOGIN-COMPLETED","result":"SUCCESSFUL","entries":[{"moduleId":"myldap","info":{"authIndex":"module_instance","ipAddress":"192.168.56.1","authLevel":"0"}}],"userId":"uid=demo,ou=people,o=openam","principal":["demo"],"timestamp":"2017-06-23T14:03:27.164Z","trackingIds":["21fc8561b4314de301"],"_id":"eb24e0de-4f84-4bc0-978c-e07b5bb72dba-3540"}

      To only rely on uid may in some cases make tracking user activity difficult. It should be possible to see the login ID entered by the user, e.g. "demo@email.com", in audit logs for a success.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              andrew.dunn Andrew Dunn [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: