Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-6794

CAUD access logger misinterprets SASL saslBindInProgress(14) results as FAILED

    Details

    • Type: Bug
    • Status: Done
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.0.0
    • Component/s: logging, security
    • Labels:

      Description

      A SASL SCRAM-SHA-256 multi-stage bind is logged like this:

      {
        "eventName": "DJ-LDAP",
        "client": {
          "ip": "127.0.0.1",
          "port": 42892
        },
        "server": {
          "ip": "127.0.0.1",
          "port": 1389
        },
        "request": {
          "protocol": "LDAP",
          "operation": "BIND",
          "connId": 6,
          "msgId": 2,
          "version": "3",
          "dn": "",
          "authType": "SASL mechanism=SCRAM-SHA-256"
        },
        "transactionId": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-150",
        "response": {
          "status": "FAILED",
          "statusCode": "14",
          "elapsedTime": 2,
          "elapsedTimeUnits": "MILLISECONDS",
          "failureReason": ""
        },
        "timestamp": "2019-11-18T17:43:41.320Z",
        "_id": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-154"
      }
      {
        "eventName": "DJ-LDAP",
        "client": {
          "ip": "127.0.0.1",
          "port": 42892
        },
        "server": {
          "ip": "127.0.0.1",
          "port": 1389
        },
        "request": {
          "protocol": "LDAP",
          "operation": "BIND",
          "connId": 6,
          "msgId": 2,
          "version": "3",
          "dn": "",
          "authType": "SASL mechanism=SCRAM-SHA-256"
        },
        "transactionId": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-155",
        "response": {
          "status": "SUCCESSFUL",
          "statusCode": "0",
          "elapsedTime": 1,
          "elapsedTimeUnits": "MILLISECONDS",
          "additionalItems": "ssf=0"
        },
        "userId": "uid=user.0,ou=People,dc=example,dc=com",
        "timestamp": "2019-11-18T17:43:41.385Z",
        "_id": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-157"
      }
      

      This could trigger false-positive security alerts in monitoring applications.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ondrej.fuchsik Ondrej Fuchsik
                Reporter:
                matthew Matthew Swift
                Dev Assignee:
                Matthew Swift
                QA Assignee:
                Ondrej Fuchsik
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: