LDAP Watchdog: Real-Time LDAP Monitoring and Change Detection

LDAP Watchdog: Real-Time LDAP Monitoring and Change Detection

LDAP Watchdog is a powerful Python-based tool designed for real-time monitoring of LDAP (Lightweight Directory Access Protocol) directories.

It tracks changes such as additions, modifications, and deletions in user and group entries, providing visibility into directory activity.

With its flexibility and integration capabilities, LDAP Watchdog is ideal for organizations using OpenLDAP on Linux, although it may work with other LDAP implementations.

Key Features

Real-Time Monitoring

LDAP Watchdog continuously monitors an LDAP directory, detecting changes in user and group entries as they happen. This ensures administrators are always aware of directory activities.

Change Comparison

The tool compares consecutive LDAP snapshots to identify:

  • Additions

  • Modifications

  • Deletions

Control User Verification

A control user mechanism ensures critical changes are always monitored. If the control user's changes are not detected, the tool triggers an error.

Flexible Filtering

Administrators can customize LDAP filters using the

SEARCH_FILTER

parameter to focus on specific object classes or attributes.

Slack Integration

Notifications for directory changes can be sent directly to Slack via a webhook, enabling real-time alerts.

Customizable Output

Console output is clear and color-coded for easy identification of changes. Colored output can be disabled if needed.

Ignored Entries and Attributes

Specific UUIDs or attributes can be excluded from monitoring to avoid unnecessary alerts.

Conditional Ignored Attributes

Attributes can be ignored based on their old or new values, allowing fine-grained control over monitoring.

Use Cases

LDAP Watchdog is particularly useful for:

  • Tracking new hires, promotions, or employee departures.

  • Monitoring HR-related changes in the directory.

  • Detecting unauthorized changes or potential security incidents.

  • Identifying accidental data leaks.

  • Observing user login and logout activity.

Prerequisites

To use LDAP Watchdog, ensure the following requirements are met:

1.Python 3 installed on your system.

2.The

ldap3

Python library (installable via

pip install ldap3

).

3.The

requests

library if Slack integration is enabled (

pip install requests

).

4.Access credentials for the LDAP server (if not using anonymous bind).

Configuration

General Settings

Key configuration parameters include:

LDAP_SERVER

: URL of the LDAP server (e.g.,

ldaps://example.com

).

BASE_DN

: Base Distinguished Name for searches (e.g.,

dc=example,dc=com

).

SEARCH_FILTER

: LDAP filter to define the scope of monitoring (e.g.,

(&(objectClass=inetOrgPerson))

).

REFRESH_RATE

: Interval (in seconds) between consecutive searches.

LDAP_USERNAME

and

LDAP_PASSWORD

: Credentials for authentication (leave empty for anonymous bind).

USE_SSL

: Set to

True

for SSL connections.

Slack Integration

To enable Slack notifications:

1.Obtain a Slack Webhook URL.

2.Set it as an environment variable (

SLACK_WEBHOOK_URL

) or directly in the configuration file.

Example Slack settings:

SLACK_WEBHOOK = os.getenv('SLACK_WEBHOOK_URL')

SLACK_BULLETPOINT = ' • '

Ignored Entries and Attributes

You can specify entries or attributes to ignore during monitoring:

IGNORED_UUIDS = ['uuid1', 'uuid2']

IGNORED_ATTRIBUTES = ['modifyTimestamp', 'phoneNumber']

Conditional ignored attributes can also be defined:

CONDITIONAL_IGNORED_ATTRIBUTES = {

    'memberOf': ['cn=interns,dc=example,dc=com'],

    'organizationalStatus': ['researcher']

}

Installation

1.Clone the repository or download the script.

2.Install dependencies:

pip install ldap3 requests

3.Run the script manually:

python3 ldap-watchdog.py

Alternatively, use the provided installation script (

install.sh

) to set up a systemd service:

sudo ./install.sh "https://hooks.slack.com/services/your-slack-webhook-url"

This installs the script as

/usr/local/bin/ldap-watchdog.py

, sets up logging at

/var/log/ldap-watchdog.log

, and configures log rotation.

Example Configuration

Below is a sample configuration file:

CONTROL_UUID = 'a71c6e4c-8881-4a03-95bf-4fc25d5e6359'

LDAP_SERVER = 'ldaps://ldaps.intra.lan'

BASE_DN = 'dc=example,dc=com'

SEARCH_FILTER = '(&(objectClass=inetOrgPerson))'

REFRESH_RATE = 60

USE_SSL = True

DISABLE_COLOR_OUTPUT = False

SLACK_WEBHOOK = os.getenv('SLACK_WEBHOOK_URL')

IGNORED_ATTRIBUTES = ['modifyTimestamp', 'gecos']

Usage

Once configured, run the script using:

python3 ldap-watchdog.py

The tool will continuously monitor the directory and output changes to both the terminal and Slack (if configured).

For automated execution, ensure the systemd service is enabled:

sudo systemctl enable ldap-watchdog.service

sudo systemctl start ldap-watchdog.service

Conclusion

LDAP Watchdog is an essential tool for administrators seeking real-time insights into their LDAP directories. Its robust feature set—ranging from Slack integration to fine-grained filtering—makes it invaluable for monitoring corporate environments.

Whether you're tracking HR updates or detecting unauthorized changes, LDAP Watchdog ensures you stay informed and secure. You can learn more and Download LDAP Watchdog in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

Back to blog