I have an openldap server (with user passwords) open worldwide which I'm trying to secure.
Step 1 was to limit access to data to authenticated users via ACLs.
Step 2, to prevent brute force attacks, was to implement ppolicy. Seems to be working fine, cool.
Step 3 is going to be "handle the user who's been locked out and swears it's not his fault" by spotting dn lockouts as early as possible with their possible causes.
I've started writing scripts which check pwdAccountLockedTime attribute presence, warn via email, ring bells etc. That's fine but I'm finding hard to link that to data in the logs saying when the incriminated logins occurred, where they were done from etc. All the data is there but bringing it all together is a real pain. I feel sure I'm not the only one confronted with this problem (or am I trying to solve the wrong problem ?) and that solutions exist, I just haven't been able to find them. Am I wrong ?
Forgot to say, fail2ban is not really suited. There are many clients, of whom I do not necessarily know the addresses, who are likely to do legitimate massive requests on the directory and would not pass fail2ban. Sounds strange, I know, but our configuration here is complicated and we have to make do with it. That's why I'm looking at ppolicy.
To put it short, I'd like to have a way to monitor the occurrence of pwdAccountLockedTime and, when that happens, immediately have the info of which user is concerned, the pwdFailureTime values, what requests were done at that time and from which IP address(s) in a single, easy to read, log file. That would be great, surely it exists ?