Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-6794

CAUD access logger misinterprets SASL saslBindInProgress(14) results as FAILED

    XMLWordPrintable

    Details

    • Bug
    • Status: Done
    • Major
    • Resolution: Fixed
    • 7.0.0
    • 7.0.0
    • logging, security

      Description

      A SASL SCRAM-SHA-256 multi-stage bind is logged like this:

      {
        "eventName": "DJ-LDAP",
        "client": {
          "ip": "127.0.0.1",
          "port": 42892
        },
        "server": {
          "ip": "127.0.0.1",
          "port": 1389
        },
        "request": {
          "protocol": "LDAP",
          "operation": "BIND",
          "connId": 6,
          "msgId": 2,
          "version": "3",
          "dn": "",
          "authType": "SASL mechanism=SCRAM-SHA-256"
        },
        "transactionId": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-150",
        "response": {
          "status": "FAILED",
          "statusCode": "14",
          "elapsedTime": 2,
          "elapsedTimeUnits": "MILLISECONDS",
          "failureReason": ""
        },
        "timestamp": "2019-11-18T17:43:41.320Z",
        "_id": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-154"
      }
      {
        "eventName": "DJ-LDAP",
        "client": {
          "ip": "127.0.0.1",
          "port": 42892
        },
        "server": {
          "ip": "127.0.0.1",
          "port": 1389
        },
        "request": {
          "protocol": "LDAP",
          "operation": "BIND",
          "connId": 6,
          "msgId": 2,
          "version": "3",
          "dn": "",
          "authType": "SASL mechanism=SCRAM-SHA-256"
        },
        "transactionId": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-155",
        "response": {
          "status": "SUCCESSFUL",
          "statusCode": "0",
          "elapsedTime": 1,
          "elapsedTimeUnits": "MILLISECONDS",
          "additionalItems": "ssf=0"
        },
        "userId": "uid=user.0,ou=People,dc=example,dc=com",
        "timestamp": "2019-11-18T17:43:41.385Z",
        "_id": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-157"
      }
      

      This could trigger false-positive security alerts in monitoring applications.

        Attachments

          Issue Links

            Activity

              People

              ondrej.fuchsik Ondrej Fuchsik
              matthew Matthew Swift
              Matthew Swift Matthew Swift
              Ondrej Fuchsik Ondrej Fuchsik
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: