Monitoring Active Directory accounts with HP BAC

Lately we’ve had an annoying problem of an Active Directory (AD) account that is used for our HP Business Process Monitor (BPM) scripts getting locked at random times. Because it’s an intermittent problem, it’s hard to track down where the request is coming form.

I wasn’t getting alerted straight away of login failure because of how slowly the AD replication works at the site I was on. The account will keep on working for most BPM’s for up to a day after the original failure and alerts don’t get sent out until it’s too late to check the domain controller logs for the original lock.

One of the Active Directory sysadmins sent me a Microsoft program called lockoutstatus.exe. This tool queries the domain controllers and reports on if the account is locked out and for how long it has been locked out. Unfortunatly this only lets you check the problem re-actively instead of proactively. So I thought that maybe we could monitor the lockout status by using a BPM, recorded in the LDAP recording protocol.

Recording lockoutstatus.exe showed many hits other DCs as well as additional search functions, but we’re just interested in the bind (mldap_logon_ex function) and the search query (mldap_search_ex function). The “SaveAsParam=True” in the mldap_search_ex function saves the LDAP directory entries as parameters, the one that we’re interested in is {mldap_attribute_lockoutTime_1}.

This attribute is the amount in seconds since the account was locked. So if its not 0 we can fail the transaction and have BAC alert on this. We had some spare transactions in our BAC prod environment, while we worked out the problem, but this might be able to be deployed as a SiteScope VuGen script too if you have a stand alone SiteScope server and are short on BPM licenses.

Here is the code I used:

You will need to put these lines into your globals.h file if you’re creating a script from scratch (this will be done automatically if you do a record using LDAP protocol script):

#include "mic_mldap.h"
MLDAP mldap1;

Put this code into your Action.c or main block and modify the lr_save_string parameters to suit your environment:

      int Locktime;

      lr_start_transaction("LDAP Login and search");

	  lr_save_string("myaccount", "LDAPUser");  // AD account that's authorised to search AD
	  lr_save_string(lr_decrypt("4fc861406e270d5297cb2c4097f8"), "LDAPPass"); // Password for account
	  lr_save_string("", "DCmachine"); // FQDN of the domain controller
	  lr_save_string("lockoutaccount", "SearchUser");  // Account that's being monitored for lockout
	  lr_save_string("", "SearchUserDomain");  // Domain for the account that's being monitored for lockout

      mldap1 = 0;

	// Logon to Active Directory or LDAP

	// Execute seach

                      "Base=CN={SearchUser},OU=Service Accounts,OU=Security Principles,DC={SearchUserDomain},DC"

      lr_end_transaction("LDAP Login and search", LR_AUTO);
      lr_start_transaction("Account not locked");

      Locktime = atoi(lr_eval_string("{mldap_attribute_lockoutTime_1}"));

      if (Locktime != 0) {
                       lr_output_message("\n\n Account is locked out \n\n");
                       lr_fail_trans_with_error("Account locked out for %s seconds", lr_eval_string("{mldap_attribute_lockoutTime_1}"));

      lr_end_transaction("Account not locked", LR_AUTO);

	  /* you can put this part outside of the transaction block to save yourself a transaction
	     because we don't care too much if it doesn't logoff gracefully  */

      return 0;

You can gather a large amount of useful information from Active directory using the LDAP protocol. Some other possible applications for the LDAP protocol in VuGen are:

  • monitor accounts which need to have their passwords changed a few weeks beforehand
  • monitor password resets of sensitive accounts
  • generating reports from active directory