2:43 a.m.
Hi All,
I would appreciate it if someone could give me some insight into the following issue:
I have a standalone openldap 2.4.26 setup. We would like to use the accesslog overlay for
auditing. I have enabled the accesslog overlay with olcAccessLogOps = all. This writes all
groups of operations (writes, reads, session) to cn=accesslog without issues. We would
also like to make use of the memberof overlay. The issue we're seeing is that once you
enable the memberof overlay, only search, unbind, add operations are logged to accesslog.
We do not see delete, modify, modrdn values logged. If I then change the logops to
"olcAccessLogOps = add delete modify modrdn" we see those operations logged, but
no bind, search, unbind operations (ie. no reads or session).
Is this a limitation of using these two overlay's together, or am I completely missing
something?
Here is the configuration output:
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {-1}frontend
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to dn.base="cn=Subschema" by * read
structuralObjectClass: olcDatabaseConfig
entryUUID: 174cbd2c-bbe1-1033-97e1-99c5bb2fcfe1
creatorsName: cn=config
createTimestamp: 20140819113832Z
entryCSN: 20140819113832.018426Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20140819113832Z
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootDN: cn=config
structuralObjectClass: olcDatabaseConfig
entryUUID: 174cc498-bbe1-1033-97e2-99c5bb2fcfe1
creatorsName: cn=config
createTimestamp: 20140819113832Z
olcAccess: {0}to * by * manage
entryCSN: 20140819153732.253785Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20140819153732Z
dn: olcDatabase={1}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {1}bdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=novell,dc=com
olcAccess: {0}to attrs=userPassword by self write by * auth
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to attrs=userPKCS12 by self read by * none
olcAccess: {3}to * by * read
olcRootDN: cn=admin,dc=novell,dc=com
olcRootPW:: e1NTSEF9eTUrcGVLRmtBSlY4aytQUVJZOVVDTzByN1FwV1RrbENSZz09
olcDbCacheSize: 10000
olcDbCheckpoint: 1024 5
olcDbConfig: {0}set_cachesize 0 15000000 1
olcDbConfig: {1}set_lg_regionmax 262144
olcDbConfig: {2}set_lg_bsize 2097152
olcDbConfig: {3}set_flags DB_LOG_AUTOREMOVE
olcDbConfig: {4}set_lk_max_locks 30000
olcDbConfig: {5}set_lk_max_objects 30000
olcDbIDLcacheSize: 30000
olcDbIndex: objectclass eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: member eq
olcDbIndex: memberUid eq
olcDbIndex: mail eq
olcDbIndex: cn eq,sub
olcDbIndex: displayName eq,sub
olcDbIndex: uid eq,sub
olcDbIndex: sn eq,sub
olcDbIndex: givenName eq,sub
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
structuralObjectClass: olcBdbConfig
entryUUID: 174ccbbe-bbe1-1033-97e3-99c5bb2fcfe1
creatorsName: cn=config
createTimestamp: 20140819113832Z
entryCSN: 20140819114039.896372Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20140819114039Z
dn: olcOverlay={0}accesslog,olcDatabase={1}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcAccessLogDB: cn=accesslog
olcAccessLogPurge: 07+00:00 01+00:00
olcAccessLogSuccess: TRUE
structuralObjectClass: olcAccessLogConfig
entryUUID: 827deb2a-bbe1-1033-8b97-93a12773fffb
creatorsName: cn=config
createTimestamp: 20140819114131Z
olcOverlay: {0}accesslog
olcAccessLogOps: writes
entryCSN: 20140819154607.969610Z#000000#000#000000
modifiersName: cn=admin,dc=novell,dc=com
modifyTimestamp: 20140819154607Z
dn: olcOverlay={1}refint,olcDatabase={1}bdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner
structuralObjectClass: olcRefintConfig
entryUUID: e5b204be-bbfb-1033-9b62-8fa7905953f2
creatorsName: cn=config
createTimestamp: 20140819145025Z
entryCSN: 20140819145025.207784Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20140819145025Z
dn: olcDatabase={2}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=novell,dc=com
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
structuralObjectClass: olcBdbConfig
entryUUID: 827bc75a-bbe1-1033-8b95-93a12773fffb
creatorsName: cn=config
createTimestamp: 20140819114131Z
entryCSN: 20140819114131.842907Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20140819114131Z
Regards,
Jan Prinsloo
2:49 a.m.
Jan Prinsloo wrote:
I have a standalone openldap 2.4.26 setup.
You really should upgrade.
We would like to use the accesslog overlay for auditing.
This is a very good idea. Which costs some performance though.
I have enabled the accesslog overlay with olcAccessLogOps = all.
This
writes all groups of operations (writes, reads, session) to cn=accesslog
without issues. We would also like to make use of the memberof overlay. The
issue we're seeing is that once you enable the memberof overlay, only
search, unbind, add operations are logged to accesslog. We do not see
delete, modify, modrdn values logged. If I then change the logops to
"olcAccessLogOps = add delete modify modrdn" we see those operations
logged, but no bind, search, unbind operations (ie. no reads or session).
I'd suggest to first upgrade to a recent version.
After that you could try fiddling with the order of the overlays. Personally
I've added slapo-memberof and slapo-refint *after* slapo-accesslog.
Ciao, Michael.
3207
days inactive
3207
days old
openldap-technical@openldap.org
1 comments
2 participants
participants (2)
-
Jan Prinsloo -
Michael Ströder