So I have provided LDAP servers for our Web Team for a long time. We have bought some new Firewalls and we are going to transition from our old DMZ to the new DMZ.
I have a server dedicated to LDAP and before I bought a Load Balancer, the Web Team configured their apps to do LDAP calls directly to that server. So I needed to write a script to read ndstrace and produce a list of unique connections. I also thought it would help to produce a report with both the IPs and the names.
I read through the ndstrace file and found that 389 and 636 traffic produce connections lines:
[0;0m3293177600 LDAP: ^[[0;0m[2016/11/14 8:55:22.916] ^[[0;0mNew cleartext connection 0xda96380 from 10.1.3.73:50841, monitor = 0xc409a700, index = 8^[[0;0m
[[0;0m3293177600 LDAP: ^[[0;0m[2016/11/14 8:55:26.800] ^[[0;0mNew TLS connection 0xda96380 from 126.96.36.199:51842, monitor = 0xc409a700, index = 8^[[0;0m
I found this would parse the file and find either, and produce a list of IP addresses:
grep "New .* connection" $files | sed -r 's/^.+from //' |sed -r 's/:.+$//' |sort |uniq
Then I needed to look up the server names for those IP addresses:
for LINE in `cat file.txt` do echo "Ldap connection from [$LINE]" >> $out2 nslookup $LINE | grep name | cut -f 2 -d "=" | sed 's/ //' >> $out2 done
So to put this all together I wanted the script to stop ndstrace, run the two items above, email the results, and restart ndstrace. Here is the shell script I wrote:
#!/bin/sh datesimp=$(date +%F) files=/tmp/ndstrace*.log out=/root/bin/result.$datesimp out2=/root/bin/name.$datesimp rm -f $out rm -f $out2 /opt/novell/eDirectory/bin/ndstrace -u grep "New .* connection" $files | sed -r 's/^.+from //' |sed -r 's/:.+$//' |sort |uniq > $out touch $out2 echo "These are services that are configured to connect directly to DULAP.abc.com" > $out2 for LINE in `cat $out` do echo "Ldap connection from [$LINE]" >> $out2 nslookup $LINE | grep name | cut -f 2 -d "=" | sed 's/ //' >> $out2 done echo "Connections to Dulap Directly See Attachment"| mail -s "DULAP Connections" -a $out2 -r firstname.lastname@example.org email@example.com,firstname.lastname@example.org /opt/novell/eDirectory/bin/ndstrace -l > /tmp/ndstrace.log & /opt/novell/eDirectory/bin/ndstrace -c 'set dstrace=nodebug' /opt/novell/eDirectory/bin/ndstrace -c 'set ndstrace=FILE ON' /opt/novell/eDirectory/bin/ndstrace -c 'set ndstrace=*R' /opt/novell/eDirectory/bin/ndstrace -c 'dstrace +time +tags +ldap'
Here is a report it produced:
These are services that are configured to connect directly to DULAP.davenport.edu
Ldap connection from [10.36.3.70] p-r-lamp-01.davenport.edu.
I hope you find this helpful and save you the time it took me to write this. You must stop ndstrace when you no longer need to trace it. The command “ndstrace -u” will end the process. After I wrote the script I have cron running it everyday.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.