[OPENDJ-6794] CAUD access logger misinterprets SASL saslBindInProgress(14) results as FAILED Created: 18/Nov/19 Updated: 12/Feb/20 Resolved: 17/Dec/19 |
|
Status: | Done |
Project: | OpenDJ |
Component/s: | logging, security |
Affects Version/s: | 7.0.0 |
Fix Version/s: | 7.0.0 |
Type: | Bug | Priority: | Major |
Reporter: | Matthew Swift | Assignee: | Ondrej Fuchsik |
Resolution: | Fixed | Votes: | 0 |
Labels: | Verified |
Issue Links: |
|
||||||||||||||||
Epic Link: | Bugs 7.0 | ||||||||||||||||
Story Points: | 1 | ||||||||||||||||
Dev Assignee: | Matthew Swift | ||||||||||||||||
QA Assignee: | Ondrej Fuchsik |
Description |
A SASL SCRAM-SHA-256 multi-stage bind is logged like this: { "eventName": "DJ-LDAP", "client": { "ip": "127.0.0.1", "port": 42892 }, "server": { "ip": "127.0.0.1", "port": 1389 }, "request": { "protocol": "LDAP", "operation": "BIND", "connId": 6, "msgId": 2, "version": "3", "dn": "", "authType": "SASL mechanism=SCRAM-SHA-256" }, "transactionId": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-150", "response": { "status": "FAILED", "statusCode": "14", "elapsedTime": 2, "elapsedTimeUnits": "MILLISECONDS", "failureReason": "" }, "timestamp": "2019-11-18T17:43:41.320Z", "_id": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-154" } { "eventName": "DJ-LDAP", "client": { "ip": "127.0.0.1", "port": 42892 }, "server": { "ip": "127.0.0.1", "port": 1389 }, "request": { "protocol": "LDAP", "operation": "BIND", "connId": 6, "msgId": 2, "version": "3", "dn": "", "authType": "SASL mechanism=SCRAM-SHA-256" }, "transactionId": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-155", "response": { "status": "SUCCESSFUL", "statusCode": "0", "elapsedTime": 1, "elapsedTimeUnits": "MILLISECONDS", "additionalItems": "ssf=0" }, "userId": "uid=user.0,ou=People,dc=example,dc=com", "timestamp": "2019-11-18T17:43:41.385Z", "_id": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-157" } This could trigger false-positive security alerts in monitoring applications. |
Comments |
Comment by Matthew Swift [ 18/Nov/19 ] |
The filtered access logger is also treating these intermediate SASL bind requests as failures, so the configuration is wrong. |
Comment by Matthew Swift [ 18/Nov/19 ] |
In addition, compare results and no-op results are treated as failures by the CAUD logger. |
Comment by Ondrej Fuchsik [ 17/Dec/19 ] |
Verified with 7.0.0-SNAPSHOT rev. 43c5f736255e68b688f45f21ecf7f847cc1d8784. |