Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-6795

Authentication ID is not logged in failed SASL bind requests

    Details

    • Type: Bug
    • Status: Dev in Progress
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.1.0
    • Component/s: logging, security
    • Labels:
      None
    • Story Points:
      0.5

      Description

      This issue could be considered an RFE or a bug. However, I consider it as more of a bug because the missing information (authentication ID) is pretty critical for auditing and investigating failed authentication attempts. Example:

      {
        "eventName": "DJ-LDAP",
        "client": {
          "ip": "127.0.0.1",
          "port": 42894
        },
        "server": {
          "ip": "127.0.0.1",
          "port": 1389
        },
        "request": {
          "protocol": "LDAP",
          "operation": "BIND",
          "connId": 7,
          "msgId": 1,
          "version": "3",
          "dn": "",
          "authType": "SASL mechanism=SCRAM-SHA-256"
        },
        "transactionId": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-160",
        "response": {
          "status": "FAILED",
          "statusCode": "14",
          "elapsedTime": 1,
          "elapsedTimeUnits": "MILLISECONDS",
          "failureReason": ""
        },
        "timestamp": "2019-11-18T17:43:41.392Z",
        "_id": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-164"
      }
      {
        "eventName": "DJ-LDAP",
        "client": {
          "ip": "127.0.0.1",
          "port": 42894
        },
        "server": {
          "ip": "127.0.0.1",
          "port": 1389
        },
        "request": {
          "protocol": "LDAP",
          "operation": "BIND",
          "connId": 7,
          "msgId": 1,
          "version": "3",
          "dn": "",
          "authType": "SASL mechanism=SCRAM-SHA-256"
        },
        "transactionId": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-165",
        "response": {
          "status": "FAILED",
          "statusCode": "49",
          "elapsedTime": 3,
          "elapsedTimeUnits": "MILLISECONDS",
          "failureReason": "SASL SCRAM-SHA-256 authentication is not possible for user 'uid=admin' because the user entry does not contain any SCRAM credentials"
        },
        "timestamp": "2019-11-18T17:43:41.412Z",
        "_id": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-169"
      }
      

      Fortunately, the final "failureReason" does indicate the user name sent in the bind request, but this is not guaranteed. The first bind request in the sequence gives absolutely no indication that "uid=admin" is attempting to authenticate.

        Attachments

          Activity

            People

            • Assignee:
              cyril.quinton Cyril Quinton
              Reporter:
              matthew Matthew Swift
              Dev Assignee:
              Cyril Quinton
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: