
LDAP Watchdog: Real-Time LDAP Monitoring and Change Detection
Share
LDAP Watchdog is a powerful Python-based tool designed for real-time monitoring of LDAP (Lightweight Directory Access Protocol) directories.
It tracks changes such as additions, modifications, and deletions in user and group entries, providing visibility into directory activity.
With its flexibility and integration capabilities, LDAP Watchdog is ideal for organizations using OpenLDAP on Linux, although it may work with other LDAP implementations.
Key Features
Real-Time Monitoring
LDAP Watchdog continuously monitors an LDAP directory, detecting changes in user and group entries as they happen. This ensures administrators are always aware of directory activities.
Change Comparison
The tool compares consecutive LDAP snapshots to identify:
-
Additions
-
Modifications
-
Deletions
Control User Verification
A control user mechanism ensures critical changes are always monitored. If the control user's changes are not detected, the tool triggers an error.
Flexible Filtering
Administrators can customize LDAP filters using the
SEARCH_FILTER
parameter to focus on specific object classes or attributes.
Slack Integration
Notifications for directory changes can be sent directly to Slack via a webhook, enabling real-time alerts.
Customizable Output
Console output is clear and color-coded for easy identification of changes. Colored output can be disabled if needed.
Ignored Entries and Attributes
Specific UUIDs or attributes can be excluded from monitoring to avoid unnecessary alerts.
Conditional Ignored Attributes
Attributes can be ignored based on their old or new values, allowing fine-grained control over monitoring.
Use Cases
LDAP Watchdog is particularly useful for:
-
Tracking new hires, promotions, or employee departures.
-
Monitoring HR-related changes in the directory.
-
Detecting unauthorized changes or potential security incidents.
-
Identifying accidental data leaks.
-
Observing user login and logout activity.
Prerequisites
To use LDAP Watchdog, ensure the following requirements are met:
1.Python 3 installed on your system.
2.The
ldap3
Python library (installable via
pip install ldap3
).
3.The
requests
library if Slack integration is enabled (
pip install requests
).
4.Access credentials for the LDAP server (if not using anonymous bind).
Configuration
General Settings
Key configuration parameters include:
LDAP_SERVER
: URL of the LDAP server (e.g.,
ldaps://example.com
).
BASE_DN
: Base Distinguished Name for searches (e.g.,
dc=example,dc=com
).
SEARCH_FILTER
: LDAP filter to define the scope of monitoring (e.g.,
(&(objectClass=inetOrgPerson))
).
REFRESH_RATE
: Interval (in seconds) between consecutive searches.
LDAP_USERNAME
and
LDAP_PASSWORD
: Credentials for authentication (leave empty for anonymous bind).
USE_SSL
: Set to
True
for SSL connections.
Slack Integration
To enable Slack notifications:
1.Obtain a Slack Webhook URL.
2.Set it as an environment variable (
SLACK_WEBHOOK_URL
) or directly in the configuration file.
Example Slack settings:
SLACK_WEBHOOK = os.getenv('SLACK_WEBHOOK_URL')
SLACK_BULLETPOINT = ' • '
Ignored Entries and Attributes
You can specify entries or attributes to ignore during monitoring:
IGNORED_UUIDS = ['uuid1', 'uuid2']
IGNORED_ATTRIBUTES = ['modifyTimestamp', 'phoneNumber']
Conditional ignored attributes can also be defined:
CONDITIONAL_IGNORED_ATTRIBUTES = {
'memberOf': ['cn=interns,dc=example,dc=com'],
'organizationalStatus': ['researcher']
}
Installation
1.Clone the repository or download the script.
2.Install dependencies:
pip install ldap3 requests
3.Run the script manually:
python3 ldap-watchdog.py
Alternatively, use the provided installation script (
install.sh
) to set up a systemd service:
sudo ./install.sh "https://hooks.slack.com/services/your-slack-webhook-url"
This installs the script as
/usr/local/bin/ldap-watchdog.py
, sets up logging at
/var/log/ldap-watchdog.log
, and configures log rotation.
Example Configuration
Below is a sample configuration file:
CONTROL_UUID = 'a71c6e4c-8881-4a03-95bf-4fc25d5e6359'
LDAP_SERVER = 'ldaps://ldaps.intra.lan'
BASE_DN = 'dc=example,dc=com'
SEARCH_FILTER = '(&(objectClass=inetOrgPerson))'
REFRESH_RATE = 60
USE_SSL = True
DISABLE_COLOR_OUTPUT = False
SLACK_WEBHOOK = os.getenv('SLACK_WEBHOOK_URL')
IGNORED_ATTRIBUTES = ['modifyTimestamp', 'gecos']
Usage
Once configured, run the script using:
python3 ldap-watchdog.py
The tool will continuously monitor the directory and output changes to both the terminal and Slack (if configured).
For automated execution, ensure the systemd service is enabled:
sudo systemctl enable ldap-watchdog.service
sudo systemctl start ldap-watchdog.service
Conclusion
LDAP Watchdog is an essential tool for administrators seeking real-time insights into their LDAP directories. Its robust feature set—ranging from Slack integration to fine-grained filtering—makes it invaluable for monitoring corporate environments.
Whether you're tracking HR updates or detecting unauthorized changes, LDAP Watchdog ensures you stay informed and secure. You can learn more and Download LDAP Watchdog in GitHub.
Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here