Question
We have an slapd server that has started generating many err=49 lines in /var/log/ldap for a particular service acc. err=49 is logged when the bind has failed. Through searching for the connections I can see that the source is localhost.
I have checked that the acc is active using ldapsearch. I have tried grepping through /etc for the service acc name to see what could be using to no avail.
How can I identify the source of the ldap queries to help investigate the issue?
Solution
Instead of trying to work from a connection perspective I continued looking from a log perspective:
https://stackoverflow.com/questions/15907409
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianawk '/from IP=127.0.0.1/ {print substr($3,1,5)}' /var/log/ldap |sort -n|uniq -c
This showed hits on the hour, searching cron.hourly found the suspect. My ideology of grepping for username was flawed based on the way the particular cron.hourly'ed script worked.
