I have noticed that most of events collected from edirectory dispay a
source address of

message: User .admin.domain(Class: User) (using null password: No)
logged in (NDS Login: Yes) from to server

I have noticed in the logs that it misses S flag or it's set to

s_raw_message2 I=""000B0301"" A=""000B"" N=""523A0B78"" Q=""2315771""
O=""eDirInst\Object"" L=""7"" G=""0100E941"" R=""""
C=""2013-10-30 10:29:42"" B="".server.server.system.domain"" H=""2""
U="".server.server.system.domain"" V=""2"" Y=""user.domain""
*S="""*" T=""User"" F=""LSHTM"" 1=""0"" 2=""1"" 3=""0"" M=""0""
E="""" D=""""

However if the source IP address is on the same vlan as the edirectory
server (vlan 10). The ip address is passed on....

s_raw_message2 I=""000B0301"" A=""000B"" N=""523A0B78"" Q=""2315773""
O=""eDirInst\Object"" L=""7"" G=""00000000"" R=""""
C=""2013-10-30 10:29:43"" B="".user.domain"" H=""2""
U="".server.server.system.domain"" V=""2"" Y="".user.domain""
*S="""*" T=""User"" F=""LSHTM"" 1=""0"" 2=""1"" 3=""0""
M=""0"" E="""" D=""""

I assume its some LDAP or eDirectory setting on the eDirectory server
that has to be changed?

Many thanks

malkorkslx's Profile: https://forums.netiq.com/member.php?userid=2711
View this thread: https://forums.netiq.com/showthread.php?t=49092