Hi All,
I would appreciate it if someone could give me some insight into the following issue:
I have a standalone openldap 2.4.26 setup. We would like to use the accesslog overlay for auditing. I have enabled the accesslog overlay with olcAccessLogOps = all. This writes all groups of operations (writes, reads, session) to cn=accesslog without issues. We would also like to make use of the memberof overlay. The issue we're seeing is that once you enable the memberof overlay, only search, unbind, add operations are logged to accesslog. We do not see delete, modify, modrdn values logged. If I then change the logops to "olcAccessLogOps = add delete modify modrdn" we see those operations logged, but no bind, search, unbind operations (ie. no reads or session).
Is this a limitation of using these two overlay's together, or am I completely missing something?
Here is the configuration output:
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig olcDatabase: {-1}frontend olcAccess: {0}to dn.base="" by * read olcAccess: {1}to dn.base="cn=Subschema" by * read structuralObjectClass: olcDatabaseConfig entryUUID: 174cbd2c-bbe1-1033-97e1-99c5bb2fcfe1 creatorsName: cn=config createTimestamp: 20140819113832Z entryCSN: 20140819113832.018426Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20140819113832Z
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcRootDN: cn=config structuralObjectClass: olcDatabaseConfig entryUUID: 174cc498-bbe1-1033-97e2-99c5bb2fcfe1 creatorsName: cn=config createTimestamp: 20140819113832Z olcAccess: {0}to * by * manage entryCSN: 20140819153732.253785Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20140819153732Z
dn: olcDatabase={1}bdb,cn=config objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: {1}bdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=novell,dc=com olcAccess: {0}to attrs=userPassword by self write by * auth olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to attrs=userPKCS12 by self read by * none olcAccess: {3}to * by * read olcRootDN: cn=admin,dc=novell,dc=com olcRootPW:: e1NTSEF9eTUrcGVLRmtBSlY4aytQUVJZOVVDTzByN1FwV1RrbENSZz09 olcDbCacheSize: 10000 olcDbCheckpoint: 1024 5 olcDbConfig: {0}set_cachesize 0 15000000 1 olcDbConfig: {1}set_lg_regionmax 262144 olcDbConfig: {2}set_lg_bsize 2097152 olcDbConfig: {3}set_flags DB_LOG_AUTOREMOVE olcDbConfig: {4}set_lk_max_locks 30000 olcDbConfig: {5}set_lk_max_objects 30000 olcDbIDLcacheSize: 30000 olcDbIndex: objectclass eq olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: member eq olcDbIndex: memberUid eq olcDbIndex: mail eq olcDbIndex: cn eq,sub olcDbIndex: displayName eq,sub olcDbIndex: uid eq,sub olcDbIndex: sn eq,sub olcDbIndex: givenName eq,sub olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq structuralObjectClass: olcBdbConfig entryUUID: 174ccbbe-bbe1-1033-97e3-99c5bb2fcfe1 creatorsName: cn=config createTimestamp: 20140819113832Z entryCSN: 20140819114039.896372Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20140819114039Z
dn: olcOverlay={0}accesslog,olcDatabase={1}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcAccessLogDB: cn=accesslog olcAccessLogPurge: 07+00:00 01+00:00 olcAccessLogSuccess: TRUE structuralObjectClass: olcAccessLogConfig entryUUID: 827deb2a-bbe1-1033-8b97-93a12773fffb creatorsName: cn=config createTimestamp: 20140819114131Z olcOverlay: {0}accesslog olcAccessLogOps: writes entryCSN: 20140819154607.969610Z#000000#000#000000 modifiersName: cn=admin,dc=novell,dc=com modifyTimestamp: 20140819154607Z
dn: olcOverlay={1}refint,olcDatabase={1}bdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {1}refint olcRefintAttribute: memberof member manager owner structuralObjectClass: olcRefintConfig entryUUID: e5b204be-bbfb-1033-9b62-8fa7905953f2 creatorsName: cn=config createTimestamp: 20140819145025Z entryCSN: 20140819145025.207784Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20140819145025Z
dn: olcDatabase={2}bdb,cn=config objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: {2}bdb olcDbDirectory: /var/lib/ldap/accesslog olcSuffix: cn=accesslog olcRootDN: cn=admin,dc=novell,dc=com olcDbIndex: default eq olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart structuralObjectClass: olcBdbConfig entryUUID: 827bc75a-bbe1-1033-8b95-93a12773fffb creatorsName: cn=config createTimestamp: 20140819114131Z entryCSN: 20140819114131.842907Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20140819114131Z
Regards, Jan Prinsloo
Jan Prinsloo wrote:
I have a standalone openldap 2.4.26 setup.
You really should upgrade.
We would like to use the accesslog overlay for auditing.
This is a very good idea. Which costs some performance though.
I have enabled the accesslog overlay with olcAccessLogOps = all. This writes all groups of operations (writes, reads, session) to cn=accesslog without issues. We would also like to make use of the memberof overlay. The issue we're seeing is that once you enable the memberof overlay, only search, unbind, add operations are logged to accesslog. We do not see delete, modify, modrdn values logged. If I then change the logops to "olcAccessLogOps = add delete modify modrdn" we see those operations logged, but no bind, search, unbind operations (ie. no reads or session).
I'd suggest to first upgrade to a recent version.
After that you could try fiddling with the order of the overlays. Personally I've added slapo-memberof and slapo-refint *after* slapo-accesslog.
Ciao, Michael.
openldap-technical@openldap.org