LDAP Trigger to map errors by DN/username

triggers

#1

Hi all -

I created the following triggers to sort LDAP errors by the DN/username that caused the error. The first trigger is used to merely capture the DN and store that information into the flow. The real magic occurs in the second trigger. In the case where the DN was blank, I use the client IP that caused the error in place of the DN. Also since this trigger dynamically creates metrics based on the error type you will be able to graph the different error events against each other.

Once this trigger is applied the metrics will start to populate. An example graph is shown below:

For each type of error found there will be a metric named after the error, and a detail metric with the same name and “_detail” appended at the end. An example chart configuration can be seen below:

This trigger requires firmware version 3.5.13999 or greater.

/* 
  * Trigger: LDAP_ErrorbyDN
  * Description: Records the username/DN for LDAP errors. 
  * In cases where the username is not available the Client IP
  * is appended instead.  
  * Event: LDAP_RESPONSE 
  */

var error = LDAP.error;
var ldapDN = LDAP.dn;

if (error !== null) {
  debug("got error: " + error + " with " + ldapDN);

  /* Append Client IP when an empty username is sent.*/
  if (ldapDN === null && error === "invalidCredentials") {
    ldapDN = Flow.client.ipaddr +" : Username/DN was empty."
  } else if (ldapDN === null && error === "saslBindInProgress") {
    ldapDN = Flow.client.ipaddr +" : More credentials are required."
  }

  /*Create a metric based on each error type, and a detail metric as well. */
  Device.metricAddCount(error, 1); 
  Device.metricAddDetailCount(error + "_detail", ldapDN , 1);                               
}

#2

Here is an example of using the new LDAP.bindDN property in v3.8.16380+:

LDAP_REQUEST event

Flow.store.binddn = LDAP.bindDN;

LDAP_RESPONSE event

var binddn = Flow.store.binddn;
debug("dn: " + LDAP.dn + " binddn: " + binddn + ", error: " + LDAP.error);