LDAP Watchdog: monitor record changes in an LDAP directory in real-time

LDAP Watchdog

LDAP Watchdog is a tool designed to monitor and record changes in an LDAP directory in real time. It provides a mechanism to track and visualize modifications, additions, and removals to user and group entries, allowing users to correlate expected changes with actual changes and identify potential security incidents. It was created with OpenLDAP and Linux in mind, however, it may work in other implementations of LDAP. It is written in Python and only requires the ldap3 library.

If you’re interested in any of the following, then LDAP Watchdog is for you:

  • Know what’s going on in your LDAP directory on-demand with Slack webhook integration.
  • See new hires, leavers, and promotions as they appear in LDAP.
  • Monitor when and what HR is doing.
  • Detect unauthorized changes in LDAP.
  • Monitor for accidentally leaked data.
  • Detect when users are logging in and out of LDAP.

In addition to monitoring for modifications, additions, and removals in an LDAP directory, it can be configured to ignore specific attributes, or even fine-tuned to ignore fine-grained attributes depending on their old/new values.

The changes that are monitored can either be forwarded to a slack webhook or output to the terminal (or both). Optional colored output is also supported.

Previously named LDAP-Stalker (because monitoring changes of an LDAP directory is an excellent way to stalk changes in a company: learn about promotions before they’re announced, new hires, leavers, etc.), a blog post about the details and history of this project can be found here.

Features

  1. Real-time Monitoring: LDAP Watchdog continuously monitors an LDAP directory for changes in user and group entries.

  2. Change Comparison: The tool compares changes between consecutive LDAP searches, highlighting additions, modifications, and deletions.

  3. Control User Verification: LDAP Watchdog supports a control user mechanism, triggering an error if the control user’s changes are not found.

  4. Flexible LDAP Filtering: Users can customize LDAP filtering using the SEARCH_FILTER parameter to focus on specific object classes or attributes.

  5. Slack Integration: Receive real-time notifications on Slack for added, modified, or deleted LDAP entries.

  6. Customizable Output: Console output provides clear and colored indications of additions, modifications, and deletions for easy visibility.

  7. Ignored Entries and Attributes: Users can specify UUIDs and attributes to be ignored during the comparison process.

  8. Conditional Ignored Attributes: Conditional filtering allows users to ignore specific attributes based on change type (additions, modifications, deletions).

Install & Use

Copyright (C) 2024 MegaManSec