Log LDAP access of the Active directory

I am looking for a method to log ldap access of a Active Directory domain controller. I want to be able to log the username and source IP address access to both 389, and 636(encrypted).

A simple packet capture would get me the source IP, but getting the username will not be possible over ldaps so I am hoping there is some built-in auditing/debug/logging feature in Windows that will give me this information.


Solution 1:

The windows Security event-log does track this, but it isn't easy to extract out of the firehose. The key markers of an LDAP login:

  • EventID: 4624
  • SubjectUserSID: S-1-5-18

The details will be lurking in these XML elements:

  • TargetUserName
  • IPAddress

If you're viewing things in the decoded text-view, the key markers are:

  • EventID: 4624
  • Network Information -> Workstation Name = name of the LDAP Server

The details will be:

  • Network Information -> Source Network Address
  • New Logon -> Account Name

The key thing that differentiates these login events from regular login events is that the ldap binds are in effect logging in TO the domain-controller in question. That's why the "Workstation Name" field is filled in.

Phrasing the search to get these events will prove tricky.