When using LDAP authentication, with audit logging enabled, if user attempts logging in with incorrect id/pwd, though the FORBIDDEN status is captured in audit index, along with all other attributes (content, action, path, type, etc), the audit record does not capture the actual userid itself which was attempting to perform the action. So if anyone tries to generate report using this audit index, we wont have the actual user to investigate against.
If we enable info mode, for successful request, user id is captured. But for failed request, user id is still not captured.
As part of the audit information, the actual user id should be captured for LDAP authentication and made available on the ROR audit index.
I somehow vaguely recall reporting this in version 1.16.x also (may be as passing comment in another thread). But I see this behavior in 1.18.7 as well. Hence opened a new thread.
Please let me know if you need any further details.