Answered by:
LDAP connections/queries logging
Question
-
Custom Perl application is failing to authenticate against AD (2008 R2 x64).
It uses secure LDAP connection (port 636) and fails with error "First bind failed! I/O Error Connection reset by peer".
But OpenLDAP's client CLI command ldapsearch connects without any trouble.
Is it possible to log LDAP connections/queries on server's side?
Answers
-
Well, you can log all LDAP queries on a given DC by setting the "15 Field Engineering" value to 5 which is under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Diagnostics
Then create these DWORD values: "Expensive Search Results Threshold" and "Inefficient Search Results Threshold" and set them to 1, under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
This will result in an event generated in the Directory Services event log for every ldap query. Once finished you should delete the two DWORD values you created and set "15 Field Engineering" back to 0.
Huge DISCLAIMER: You should be aware of the load on the DC before you attempt this, you really don't want to do this change on a busy DC. You are much better off in a lab environment if you have full logging turned on.
- Marked as answer by marianh Monday, January 28, 2013 6:07 PM
All replies
-
-
If this is a Windows client you can use ADInsight to view what it is trying to do: http://technet.microsoft.com/en-us/sysinternals/bb897539.aspx
In your case I would suspect this isn't much help, and it looks like you aren't getting far enough to examine LDAP traffic anyway.
I would confirm the CA that signed your DC's certificate is trusted by the client and the TLS handshake is completing successfully (via tcpdump/wireshark/etc.)
On the DC itself, you can get a lot of information from the Performance Monitor. The system-defined Active Directory Diagnostic data collector set includes tracing of AD related events including some LDAP queries, and you may be able to find performance related issues by executing that data collector set. That said, it is much easier/more efficient/safer to gather information on the client that is experiencing issues.
-
OK, let's forget that error and focus on the tool that can log LDAP queries.
Be aware that LDAP over SSL or TLS is used!
I already tried ADInsight with no success - it didn't show/log a thing!
The same thing with Performance Monitor, I was able to start collecting data but not to stop collecting (button was greyed out).
-
Well, you can log all LDAP queries on a given DC by setting the "15 Field Engineering" value to 5 which is under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Diagnostics
Then create these DWORD values: "Expensive Search Results Threshold" and "Inefficient Search Results Threshold" and set them to 1, under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
This will result in an event generated in the Directory Services event log for every ldap query. Once finished you should delete the two DWORD values you created and set "15 Field Engineering" back to 0.
Huge DISCLAIMER: You should be aware of the load on the DC before you attempt this, you really don't want to do this change on a busy DC. You are much better off in a lab environment if you have full logging turned on.
- Marked as answer by marianh Monday, January 28, 2013 6:07 PM