[OPENDJ-6794] CAUD access logger misinterprets SASL saslBindInProgress(14) results as FAILED Created: 18/Nov/19  Updated: 12/Feb/20  Resolved: 17/Dec/19

Status: Done
Project: OpenDJ
Component/s: logging, security
Affects Version/s: 7.0.0
Fix Version/s: 7.0.0

Type: Bug Priority: Major
Reporter: Matthew Swift Assignee: Ondrej Fuchsik
Resolution: Fixed Votes: 0
Labels: Verified

Issue Links:
Depends
is required by OPENDJ-6796 OPENDJ-6734 OPENDJ-6790 Update docs f... Done
Relates
relates to OPENDJ-6734 Add SASL/SCRAM support to Rest2Ldap Done
Epic Link: Bugs 7.0
Story Points: 1
Dev Assignee: Matthew Swift
QA Assignee: Ondrej Fuchsik

 Description   

A SASL SCRAM-SHA-256 multi-stage bind is logged like this:

{
  "eventName": "DJ-LDAP",
  "client": {
    "ip": "127.0.0.1",
    "port": 42892
  },
  "server": {
    "ip": "127.0.0.1",
    "port": 1389
  },
  "request": {
    "protocol": "LDAP",
    "operation": "BIND",
    "connId": 6,
    "msgId": 2,
    "version": "3",
    "dn": "",
    "authType": "SASL mechanism=SCRAM-SHA-256"
  },
  "transactionId": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-150",
  "response": {
    "status": "FAILED",
    "statusCode": "14",
    "elapsedTime": 2,
    "elapsedTimeUnits": "MILLISECONDS",
    "failureReason": ""
  },
  "timestamp": "2019-11-18T17:43:41.320Z",
  "_id": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-154"
}
{
  "eventName": "DJ-LDAP",
  "client": {
    "ip": "127.0.0.1",
    "port": 42892
  },
  "server": {
    "ip": "127.0.0.1",
    "port": 1389
  },
  "request": {
    "protocol": "LDAP",
    "operation": "BIND",
    "connId": 6,
    "msgId": 2,
    "version": "3",
    "dn": "",
    "authType": "SASL mechanism=SCRAM-SHA-256"
  },
  "transactionId": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-155",
  "response": {
    "status": "SUCCESSFUL",
    "statusCode": "0",
    "elapsedTime": 1,
    "elapsedTimeUnits": "MILLISECONDS",
    "additionalItems": "ssf=0"
  },
  "userId": "uid=user.0,ou=People,dc=example,dc=com",
  "timestamp": "2019-11-18T17:43:41.385Z",
  "_id": "913dc462-0bf0-4e77-b5e5-0636cf3849b8-157"
}

This could trigger false-positive security alerts in monitoring applications.



 Comments   
Comment by Matthew Swift [ 18/Nov/19 ]

The filtered access logger is also treating these intermediate SASL bind requests as failures, so the configuration is wrong.

Comment by Matthew Swift [ 18/Nov/19 ]

In addition, compare results and no-op results are treated as failures by the CAUD logger.

Comment by Ondrej Fuchsik [ 17/Dec/19 ]

Verified with 7.0.0-SNAPSHOT rev. 43c5f736255e68b688f45f21ecf7f847cc1d8784.

Generated at Tue Oct 27 07:25:04 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.