So I have provided LDAP servers for our Web Team for a long time. We have bought some new Firewalls and we are going to transition from our old DMZ to the new DMZ.

I have a server dedicated to LDAP and before I bought a Load Balancer, the Web Team configured their apps to do LDAP calls directly to that server. So I needed to write a script to read ndstrace and produce a list of unique connections. I also thought it would help to produce a report with both the IPs and the names.

I read through the ndstrace file and found that 389 and 636 traffic produce connections lines:

[0;0m3293177600 LDAP: ^[[0;0m[2016/11/14 8:55:22.916] ^[[0;0mNew cleartext connection 0xda96380 from 10.1.3.73:50841, monitor = 0xc409a700, index = 8^[[0;0m

OR

[[0;0m3293177600 LDAP: ^[[0;0m[2016/11/14 8:55:26.800] ^[[0;0mNew TLS connection 0xda96380 from 69.196.253.30:51842, monitor = 0xc409a700, index = 8^[[0;0m

I found this would parse the file and find either, and produce a list of IP addresses:

grep "New .* connection" $files | sed -r 's/^. from //' |sed -r 's/:. $//' |sort |uniq

Then I needed to look up the server names for those IP addresses:

for LINE in `cat file.txt`
do
echo "Ldap connection from [$LINE]" >> $out2
nslookup $LINE | grep name | cut -f 2 -d "=" | sed 's/ //' >> $out2
done

So to put this all together I wanted the script to stop ndstrace, run the two items above, email the results, and restart ndstrace. Here is the shell script I wrote:

#!/bin/sh
datesimp=$(date  %F)
files=/tmp/ndstrace*.log
out=/root/bin/result.$datesimp
out2=/root/bin/name.$datesimp
rm -f $out
rm -f $out2
/opt/novell/eDirectory/bin/ndstrace -u
grep "New .* connection" $files | sed -r 's/^. from //' |sed -r 's/:. $//' |sort |uniq > $out
touch $out2
echo "These are services that are configured to connect directly to DULAP.abc.com" > $out2
for LINE in `cat $out`
do
echo "Ldap connection from [$LINE]" >> $out2
nslookup $LINE | grep name | cut -f 2 -d "=" | sed 's/ //' >> $out2
done
echo "Connections to Dulap Directly See Attachment"| mail -s "DULAP Connections" -a $out2 -r abc@abc.com abc@abc.com,def@abc.com
/opt/novell/eDirectory/bin/ndstrace -l > /tmp/ndstrace.log &
/opt/novell/eDirectory/bin/ndstrace -c 'set dstrace=nodebug'
/opt/novell/eDirectory/bin/ndstrace -c 'set ndstrace=FILE ON'
/opt/novell/eDirectory/bin/ndstrace -c 'set ndstrace=*R'
/opt/novell/eDirectory/bin/ndstrace -c 'dstrace  time  tags  ldap'

Here is a report it produced:

These are services that are configured to connect directly to DULAP.davenport.edu

Ldap connection from [10.36.3.70] p-r-lamp-01.davenport.edu.

Ldap connection from [66.202.198.23] p-r-ssos-01.davenport.edu. Ldap connection from [69.196.253.30] eth0-0-fw3-1-ap-r137-3-va3.blackboard.com. eth0-0-fw3-1-ap-r137-3-va3.mhint.

I hope you find this helpful and save you the time it took me to write this. You must stop ndstrace when you no longer need to trace it. The command "ndstrace -u" will end the process.  After I wrote the script I have cron running it everyday.