When authentication fails, the server returns an error 49, and logs detail in the Access log.
Some messages contain the user DN, some don't.
When parsing access logs, it's difficult to detect if a user was under attack or not if the user DN is not specifically present in the detailed message logged.
Lets make sure the DN is always part of the authFailureReason part of the log.
[02/Apr/2012:07:16:49 +0200] BIND RES conn=2083068 op=0 msgID=1 result=49 authFailureID=196887 authFailureReason="The password provided by the user did not match any password(s) stored in the user's entry" etime=1
[02/Apr/2012:07:30:50 +0200] BIND RES conn=2090471 op=0 msgID=1 result=49 authFailureID=196826 authFailureReason="Unable to bind to the Directory Server as user uid=SomeUser,ou=People,dc=example,dc=com because no such user exists in the server" etime=0
[01/Apr/2012:09:56:46 +0200] BIND RES conn=1423550 op=0 msgID=1 result=49 authFailureID=197125 authFailureReason="Rejecting a bind request for user uid=x123456,ou=People,dc=example,dc=com because the account has been administrative disabled" etime=1