I have noticed that most of events collected from edirectory dispay a
source address of 0.0.0.0:

message: User .admin.domain(Class: User) (using null password: No)
logged in (NDS Login: Yes) from 0.0.0.0 to server
..server.server.system.domain

I have noticed in the logs that it misses S flag or it's set to
0.0.0.0:

s_raw_message2 I=""000B0301"" A=""000B"" N=""523A0B78"" Q=""2315771""
O=""eDirInst\Object"" L=""7"" G=""0100E941"" R=""10.1.0.124""
C=""2013-10-30 10:29:42"" B="".server.server.system.domain"" H=""2""
U="".server.server.system.domain"" V=""2"" Y=""user.domain""
*S=""0.0.0.0"*" T=""User"" F=""LSHTM"" 1=""0"" 2=""1"" 3=""0"" M=""0""
E="""" D=""""

However if the source IP address is on the same vlan as the edirectory
server (vlan 10). The ip address is passed on....

s_raw_message2 I=""000B0301"" A=""000B"" N=""523A0B78"" Q=""2315773""
O=""eDirInst\Object"" L=""7"" G=""00000000"" R=""10.1.0.124""
C=""2013-10-30 10:29:43"" B="".user.domain"" H=""2""
U="".server.server.system.domain"" V=""2"" Y="".user.domain""
*S=""10.8.1.103"*" T=""User"" F=""LSHTM"" 1=""0"" 2=""1"" 3=""0""
M=""0"" E="""" D=""""

I assume its some LDAP or eDirectory setting on the eDirectory server
that has to be changed?

Many thanks


--
malkorkslx
------------------------------------------------------------------------
malkorkslx's Profile: https://forums.netiq.com/member.php?userid=2711
View this thread: https://forums.netiq.com/showthread.php?t=49092