Log LDAP access of the Active directory

active-directory logging ldap

I am looking for a method to log ldap access of a Active Directory domain controller. I want to be able to log the username and source IP address access to both 389, and 636(encrypted).

A simple packet capture would get me the source IP, but getting the username will not be possible over ldaps so I am hoping there is some built-in auditing/debug/logging feature in Windows that will give me this information.


Solution 1:

The windows Security event-log does track this, but it isn't easy to extract out of the firehose. The key markers of an LDAP login:

  • EventID: 4624
  • SubjectUserSID: S-1-5-18

The details will be lurking in these XML elements:

  • TargetUserName
  • IPAddress

If you're viewing things in the decoded text-view, the key markers are:

  • EventID: 4624
  • Network Information -> Workstation Name = name of the LDAP Server

The details will be:

  • Network Information -> Source Network Address
  • New Logon -> Account Name

The key thing that differentiates these login events from regular login events is that the ldap binds are in effect logging in TO the domain-controller in question. That's why the "Workstation Name" field is filled in.

Phrasing the search to get these events will prove tricky.

Related

How can I cache YouTube videos with Squid Cache?
802.1x automatically validate certificate in windows clients
BIND HTTP "API"
Ubuntu 14.04 System Logging
Apache - extremely slow initial handshake (SSL enabled)
Server health monitoring software [closed]
Authenticate in Apache via System Account
How do I use .htaccess to always redirect from HTTP to HTTPS? [duplicate]
SSH sessions terminate abruptly with message: Corrupted MAC on input. Disconnecting: Packet corrupt
Scheduled Tasks w/ GUI issue
Request Entity Too Large error while uploading files of more than 128KB over SSL
mod_fcgi in virtualmin: graceful kill fail, sending SIGKILL?