So I have provided LDAP servers for our Web Team for a long time. We have bought some new Firewalls and we are going to transition from our old DMZ to the new DMZ.

I have a server dedicated to LDAP and before I bought a Load Balancer, the Web Team configured their apps to do LDAP calls directly to that server. So I needed to write a script to read ndstrace and produce a list of unique connections. I also thought it would help to produce a report with both the IPs and the names.

I read through the ndstrace file and found that 389 and 636 traffic produce connections lines:

[0;0m3293177600 LDAP: ^[[0;0m[2016/11/14 8:55:22.916] ^[[0;0mNew cleartext connection 0xda96380 from 10.1.3.73:50841, monitor = 0xc409a700, index = 8^[[0;0m

OR

[[0;0m3293177600 LDAP: ^[[0;0m[2016/11/14 8:55:26.800] ^[[0;0mNew TLS connection 0xda96380 from 69.196.253.30:51842, monitor = 0xc409a700, index = 8^[[0;0m

I found this would parse the file and find either, and produce a list of IP addresses:

grep "New .* connection" $files | sed -r 's/^.+from //' |sed -r 's/:.+$//' |sort |uniq

Then I needed to look up the server names for those IP addresses:

for LINE in `cat file.txt`
do
echo "Ldap connection from [$LINE]" >> $out2
nslookup $LINE | grep name | cut -f 2 -d "=" | sed 's/ //' >> $out2
done

So to put this all together I wanted the script to stop ndstrace, run the two items above, email the results, and restart ndstrace. Here is the shell script I wrote:

#!/bin/sh
datesimp=$(date +%F)
files=/tmp/ndstrace*.log
out=/root/bin/result.$datesimp
out2=/root/bin/name.$datesimp
rm -f $out
rm -f $out2
/opt/novell/eDirectory/bin/ndstrace -u
grep "New .* connection" $files | sed -r 's/^.+from //' |sed -r 's/:.+$//' |sort |uniq > $out
touch $out2
echo "These are services that are configured to connect directly to DULAP.abc.com" > $out2
for LINE in `cat $out`
do
echo "Ldap connection from [$LINE]" >> $out2
nslookup $LINE | grep name | cut -f 2 -d "=" | sed 's/ //' >> $out2
done
echo "Connections to Dulap Directly See Attachment"| mail -s "DULAP Connections" -a $out2 -r abc@abc.com abc@abc.com,def@abc.com
/opt/novell/eDirectory/bin/ndstrace -l > /tmp/ndstrace.log &
/opt/novell/eDirectory/bin/ndstrace -c 'set dstrace=nodebug'
/opt/novell/eDirectory/bin/ndstrace -c 'set ndstrace=FILE ON'
/opt/novell/eDirectory/bin/ndstrace -c 'set ndstrace=*R'
/opt/novell/eDirectory/bin/ndstrace -c 'dstrace +time +tags +ldap'

Here is a report it produced:

These are services that are configured to connect directly to DULAP.davenport.edu

Ldap connection from [10.36.3.70] p-r-lamp-01.davenport.edu.

Ldap connection from [66.202.198.23] p-r-ssos-01.davenport.edu. Ldap connection from [69.196.253.30] eth0-0-fw3-1-ap-r137-3-va3.blackboard.com. eth0-0-fw3-1-ap-r137-3-va3.mhint.

I hope you find this helpful and save you the time it took me to write this. You must stop ndstrace when you no longer need to trace it. The command “ndstrace -u” will end the process.  After I wrote the script I have cron running it everyday.

 

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: stharp
Nov 22, 2016
8:15 am
Reads:
524
Score:
Unrated
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Sentinel Supported Troubleshooting Workflow