Catching successful and unsuccessful LDAP searches

[acharseth]

With LDAP logging turned on I can see a Operation: Search - Base DN:.... log event when a non registered user tries to log on.
I would like to catch and log this event myself but I can't make it work. I have tried adding the following toEventServiceProvider $listen array:

\LdapRecord\Query\Events\Search::class => [
            \App\Listeners\LogActivityListener::class.'@ldapSearch',
        ],
\LdapRecord\Query\Events\QueryExecuted::class => [
    \App\Listeners\LogActivityListener::class.'@ldapQueryExecuted',
],

... and added corresponding methods into LogActivityListener.
But non of them seem to be triggered.
May be because the search did not succeed in this case but it is the same with a registered user and successful login. The search does not trigger these events?

What am I doing wrong?

I also notice that the search event log is rather cryptic:
When trying to log in with the non existing user 't654321' the log says:

Operation: Search - Base DN: ou=users,dc=something,dc=no - Filter: (&(objectclass=\74\6f\70)(objectclass=\70\65\72\73\6f\6e)... (samaccountname=\74\36\35\34\33\32\31)(!(objectclass=\63\6f\...))) - Selected: (objectguid,*) - Time Elapsed: 79.33

Why all these hex values (which for amaccountname translates to 't654321')? Something I can configure to get it in plain text instead of hex?

[stevebauman]

Hi @acharseth,

Those events you're attempting to watch on are from the native core LdapRecord framework, which requires you to register your listeners from it's event dispatcher and not Laravel's event dispatcher. This is because the core LdapRecord framework doesn't require the use of Laravel (or any framework for that matter).

Here are docs on how to register listeners for core LdapRecord events:

https://ldaprecord.com/docs/core/v3/events/#registering-listeners

use LdapRecord\Container;
use \LdapRecord\Query\Events\Search;

$dispatcher = Container::getDispatcher();

$dispatcher->listen(Search::class, function (Search $event) {
    // ...
});

To tell which events can be listened for in Laravel, the events will reside underneath the LdapRecord\Laravel namespace, whereas the core LdapRecord framework events do not reside under the Laravel namespace.

Also, the QueryExecuted event itself cannot currently be used to watch on, as it's an abstract class that the query events extend from. I'm working on changes to make this possible though, but for now if you'd like to register a single listener for all core LdapRecord query events, you must use a wildcard (*):

use LdapRecord\Container;

$dispatcher = Container::getDispatcher();

// Listen for all query events.
$dispatcher->listen('LdapRecord\Query\Events\*', function ($eventName, array $data) {
    // Returns 'LdapRecord\Models\Events\Search'
    echo $eventName;

    // Returns [0] => (object) LdapRecord\Query\Events\Search;
    var_dump($data);
});

[stevebauman]

Why all these hex values (which for amaccountname translates to 't654321')? Something I can configure to get it in plain text instead of hex?

This is because LdapRecord escapes all values in the query builder into their hexadecimal equivalent, preventing input from breaking out the LDAP filter and returning results that were not intended (security risk, similar to SQL injection):

https://ldaprecord.com/docs/core/v3/searching#introduction

The log is displaying the actual query filter sent to your LDAP server. To output the unescaped filter would not be a true representation of what was sent.

If retrieve unescaped query, you will have to implement your own even listener for query events and retrieve the unescaped query:

$dispatcher = Container::getDispatcher();

$dispatcher->listen(Search::class, function (Search $event) {
    echo $event->getQuery()->getUnescapedQuery();
});

[acharseth]

For more elaborate information on how I implemented listen and log LdapRecord Core events:

config/app.php - 'providers', added:

App\Providers\LdapCoreServiceProvider::class,

LdapCoreServiceProvider:

namespace App\Providers;

use Illuminate\Support\ServiceProvider;
use App\Services\LogType;
use app\Services\MyLog;
use LdapRecord\Models\ActiveDirectory\User as LdapUser;
use LdapRecord\Auth\Events\Attempting;
use LdapRecord\Auth\Events\Binding;
use LdapRecord\Auth\Events\Passed;
use LdapRecord\Auth\Events\Failed;
use LdapRecord\Auth\Events\Bound;

class LdapCoreServiceProvider extends ServiceProvider
{
    /**
     * Register services.
     */
    public function register(): void
    {
       $dispatcher = \LdapRecord\Container::getDispatcher();
       
       $dispatcher->listen(Attempting::class, function ($event) {    
           $userid=LdapUser::find($event->getUsername())->samaccountname[0]; 
           MyLog::uaUidLog(LogType::Info, get_class($event), $userid, "Ldap autentiseringsforsøk");
        });
       
       $dispatcher->listen(Binding::class, function ($event) {    
           $userid=LdapUser::find($event->getUsername())->samaccountname[0]; 
           MyLog::uaUidLog(LogType::Info, get_class($event), $userid, "Ldap binding");
        });
       
       $dispatcher->listen(Passed::class, function ($event) {    
           $userid=LdapUser::find($event->getUsername())->samaccountname[0]; 
           MyLog::uaUidLog(LogType::Info, get_class($event), $userid, "Ldap autentisert");
        });
       
       $dispatcher->listen(Failed::class, function ($event) {    
           $userid=LdapUser::find($event->getUsername())->samaccountname[0]; 
           MyLog::uaUidLog(LogType::Alert, get_class($event), $userid, "Ldap autentisering feilet!");
        });
       
       $dispatcher->listen(Bound::class, function ($event) {    
           $userid=LdapUser::find($event->getUsername())->samaccountname[0]; 
           MyLog::uaUidLog(LogType::Info, get_class($event), $userid, "Ldap bound");
        });    
    }

    /**
     * Bootstrap services.
     */
    public function boot(): void
    {
        //
    }
}