Monday, December 26, 2011

Track down who deleted what object - Open LDAP


Identify the name (or at least partial name) of the deleted object. Confirm that it was deleted.

bash-3.2$ grep DEL /var/log/ldap/ldap.log | grep -i 'deleted-acct'



Dec 25 11:38:02 ldap-server slapd[3816]: conn=654321 op=12 DEL dn="uid=deleted-acct,ou=accounts,dc=example,dc=org"

Take note of the  'conn=' value. Look for connections matching that number.

bash-3.2$ grep 654321 /var/log/ldap/ldap.log | grep ACC

Dec 25 11:29:49 ldap-server slapd[3816]: conn=654321 fd=23 ACCEPT from IP=10.11.12.13:56844 (IP=ldap-server-ip:636)

View the ldap.log file, go to that time stamp. If using view/vi/less etc,  you can '/<timestamp>' while in the file.

i.e:

bash-3.2$ view /var/log/ldap/ldap.log

/11:29:49

...then hit enter.

A few lines after the 'ACCEPT from' section, you'll find the dn of the user that performed the deletion:

Dec 25 11:29:49 ldap-server slapd[3816]: conn=411685 fd=23 TLS established tls_ssf=128 ssf=128
Dec 25 11:29:49 ldap-server slapd[3816]: conn=411685 op=0 BIND dn="uid=user-who-deleted-account@example.org,ou=accounts,dc=example,dc=org" method=128
Dec 25 11:29:49 ldap-server slapd[3816]: conn=411685 op=0 BIND dn="uid=user-who-deleted-account@example.org,ou=accounts,dc=example,dc=org" mech=SIMPLE ssf=0
Post a Comment