ncalligaro Absent Member.
Absent Member.
314 views

Audit: Login events


Hi,

I was searching for login events to eDirectory when I saw that there
are two type of events, one is "Login" (with ID 000B0301) and the other
one is "Allow Login" (with ID 000B0351). The first one seems to be the
real login event that the user produced. The other one is some sort of
"the server allowing the user to login". I was wondering if this two
events always come together, which would make the two events redundant,
and if there's any situation in which the user would be able to login
but the server wouldn't allowed it...

Regards!


--
ncalligaro
------------------------------------------------------------------------
ncalligaro's Profile: http://forums.novell.com/member.php?userid=692
View this thread: http://forums.novell.com/showthread.php?t=452826

Labels (1)
0 Likes
4 Replies
ataubman Absent Member.
Absent Member.

Re: Audit: Login events


Without looking into it I would suspect the second is telling whether
the server has login enabled at all - on NetWare servers you could
simply disable login while letting eDir still work server-to-server as
normal (I don't believe that facility exists on other platforms). I
expect that event is there to allow the auditor to determine why there
are no user connections to a given server, for instance.


--
Andrew C Taubman
(Sorry, support is not provided via e-mail)

Opinions expressed above are not
necessarily those of Novell Inc.
------------------------------------------------------------------------
ataubman's Profile: http://forums.novell.com/member.php?userid=34
View this thread: http://forums.novell.com/showthread.php?t=452826


Andrew C Taubman (Sorry, support is not provided via e-mail) Opinions expressed above are not necessarily those of Micro Focus.
0 Likes
ataubman Absent Member.
Absent Member.

Re: Audit: Login events


Well that was almost completely wrong 🙂 Here's the truth:

000B0351
Allow Login
A user has been allowed to log in to eDirectory. The Login Time
Restrictions attribute (on some eDirectory object types) is checked at
the top (hh:00) and bottom (hh:30) of every hour to validate all
authenticated connections. An object's connection is invalidated if that
object is not configured to have access during the next 30-minute
segment.
IMPORTANT:This event is implemented only in eDirectory for NetWare.
A NetWare server validates its authenticated connections every 30
minutes. This event is triggered once for each authenticated connection
per half hour.


--
Andrew C Taubman
(Sorry, support is not provided via e-mail)

Opinions expressed above are not
necessarily those of Novell Inc.
------------------------------------------------------------------------
ataubman's Profile: http://forums.novell.com/member.php?userid=34
View this thread: http://forums.novell.com/showthread.php?t=452826


Andrew C Taubman (Sorry, support is not provided via e-mail) Opinions expressed above are not necessarily those of Micro Focus.
0 Likes
ncalligaro Absent Member.
Absent Member.

Re: Audit: Login events


ataubman;2178671 Wrote:
> Well that was almost completely wrong 🙂 Here's the truth:
>
> 000B0351
> Allow Login
> A user has been allowed to log in to eDirectory. The Login Time
> Restrictions attribute (on some eDirectory object types) is checked at
> the top (hh:00) and bottom (hh:30) of every hour to validate all
> authenticated connections. An object's connection is invalidated if that
> object is not configured to have access during the next 30-minute
> segment.
> IMPORTANT:This event is implemented only in eDirectory for NetWare.
> A NetWare server validates its authenticated connections every 30
> minutes. This event is triggered once for each authenticated connection
> per half hour.



Thanks for the feedback! What you say makes sense, although I've seen
this events ocurring on a OES 2 server (Linux based) and it doesn't seem
to occur on hh:00 or hh:30 or even every 30 minutes. The following are
the timestamps of this events for a particular user:

19:14:12
20:26:53
21:36:06
(Next day. User logins at 3:21)
6:51:02
7:27:24
15:42:48
18:44:25
22:26:35
23:49:16
(Next day, it seems user has never logged off)
3:43:32
4:28:58

Any ideas?


--
ncalligaro
------------------------------------------------------------------------
ncalligaro's Profile: http://forums.novell.com/member.php?userid=692
View this thread: http://forums.novell.com/showthread.php?t=452826

0 Likes
ataubman Absent Member.
Absent Member.

Re: Audit: Login events


The Login Allowed time is the time the user was allowed to log in, not
the time it was checked (and passed). What it's saying is that eDir
checks logged in users every half an hour to ensure that a Login Time
Restriction has not recently (ie in the last half hour) been added to
that user object. Since that hasn't happened here, the events you list
are just logins. I would expect the timing, around every hour - hour and
a half, is related to an inactivity-based disconnection on the
workstation - that is, the user's session is disconnected when the PC
goes to sleep, when awoken it auto-reconnects and we see this event
recorded as there is not time restriction on the user object.


--
Andrew C Taubman
(Sorry, support is not provided via e-mail)

Opinions expressed above are not
necessarily those of Novell Inc.
------------------------------------------------------------------------
ataubman's Profile: http://forums.novell.com/member.php?userid=34
View this thread: http://forums.novell.com/showthread.php?t=452826


Andrew C Taubman (Sorry, support is not provided via e-mail) Opinions expressed above are not necessarily those of Micro Focus.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.