cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 5

Write LDAP attributes to Access Log

Jump to solution

Hi,

I'm trying to pull the displayName attribute of authenticated users from Microsoft AD via LDAP and write it as a user defined property at the access log.

This will be useful when creating reports based on the access log, some times authentication usernames doesn't contain the actual name of the user (it might be the employee number).

I could set the authentication with LDAP and get the displayName attribute alright.

Now i just need to find how to use this attribute in the access log.

Appreciate any help with this one.

Thanks

1 Solution

Accepted Solutions
Highlighted
Level 7
Report Inappropriate Content
Message 5 of 5

Re: Write LDAP attributes to Access Log

Jump to solution

Alright I got it to work.

So first I used standard NTLM authentication, so it will store the authentication.username as simple string (instead of the full user DN which LDAP authentication returns).

Then I got the part of AndreSabben's ruleset on how to store LDAP query in a user-defined property (modified it to query for displayName attribute).

And lastly I changed the standard access.log authentication.username to my user-defined property (so i wouldn't have to change headers and pharser on the Reporter).

So overall I query the AD twice:

first over 445/TCP for the NTLM authentication.

second over 3268/TCP for the displayName attribute (or 389/TCP)..

Andy - thanks for your instructions and heads up on the headers quats etc !

Cheers

Message was edited by: orens on 5/11/13 5:48:39 PM CDT

View solution in original post

4 Replies

Re: Write LDAP attributes to Access Log

Jump to solution

You can add the information to the access log on the Policy tab, then under Rule Sets and Log Handler.  Select Access Log under the Default log handler.  You should see one rule there, which you can edit.  On the Edit Rule dialog, select Events, then edit the first event.  The event type should stay the same, but the list of concatenated strings on the right side can be modified.  The property that contains the displayName can then be added to the log line by clicking Add, then choosing the Parameter property radio button, and finally selecting the property that has the correct data.

I stuffed it all into one screen shot, but here are all the steps numbered:

access_log.png

I would recommend putting the name in quotes, as it is likely to have spaces in it.  Click on Add, select Parameter value, and enter the quote.  It would also be good to add a space before/after it to separate it from another value.

After the new data is defined in the log line, you should add a name for the field to the log header.  Go to Policy --> Settings --> File System Logging --> Access Log Configuration.  In the Log header field, add the new field name with the proper spaces/quotes around it.  This will enable the WebReporter/Content Security Reporter to properly read the file.  Without this, you will just get parsing errors.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: Write LDAP attributes to Access Log

Jump to solution

Hi orens,

There is no property that contains the displayName. What needs to be done is, it needs to be pulled when MWG contacts the LDAP server (AD).

So much like MWG will pull group information (memberOf), we need to store the displayName into the user-defined property based on the given username.

I will write up a ruleset which will allow you to retrieve the displayName and store it.

One question though (that has bearing on how I write it), are you using NTLM auth, or LDAP to start?

Best,

Jon

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Write LDAP attributes to Access Log

Jump to solution

What is entailed is similar to what I did on the following thread:

https://community.mcafee.com/message/284493#284493

But it depends on how you perform the original authentication (NTLM or LDAP), this will change how the rules look.

Best,

Jon

Highlighted
Level 7
Report Inappropriate Content
Message 5 of 5

Re: Write LDAP attributes to Access Log

Jump to solution

Alright I got it to work.

So first I used standard NTLM authentication, so it will store the authentication.username as simple string (instead of the full user DN which LDAP authentication returns).

Then I got the part of AndreSabben's ruleset on how to store LDAP query in a user-defined property (modified it to query for displayName attribute).

And lastly I changed the standard access.log authentication.username to my user-defined property (so i wouldn't have to change headers and pharser on the Reporter).

So overall I query the AD twice:

first over 445/TCP for the NTLM authentication.

second over 3268/TCP for the displayName attribute (or 389/TCP)..

Andy - thanks for your instructions and heads up on the headers quats etc !

Cheers

Message was edited by: orens on 5/11/13 5:48:39 PM CDT

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community