The OpenLDAP audit log overlay is used to track changes to a database. It stores its data in an LDIF file. On busy servers, consider setting up a cron job to automatically rotate, compress, or archive the log file.
Setting up the OpenLDAP audit log overlay is pretty straightforward. There are only a few steps and it requires very little preparation. Here are the steps:
- Create a directory on your filesystem for the overlay to write the audit log to. It must be writable by the user slapd runs as.
- Assuming the overlay isn’t compiled into slapd, load the module.
- Apply the overlay to the backend you wish to audit.
- Verify it is working.
Create a Directory
The directory you create for the LDIF files must be writable by the user slapd runs as. I prefer to use a sub-directory of /var/log. Create a location of your choosing. If you aren’t sure which user slapd runs as, consult the table below.
# mkdir -p /var/log/openldap/
# chown -R $OWNER /var/log/openldap/| OS | OWNER |
|---|---|
| CentOS 7 | ldap:ldap |
| openSUSE | ldap:ldap |
| Debian (Stretch) | openldap:openldap |
| FreeBSD | ldap:ldap |
Load the Module
See if you have any modules already loaded:
[root@ldap openldap]# slapcat -n 0 | grep olcModuleLoad
olcModuleLoad: {0}back_mdb.la
olcModuleLoad: {1}pw-sha2.la
[root@ldap openldap]# If you have any output from the command above, use ldapmodify to load the module:
[root@ldap ~]# ldapmodify -Q -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: auditlog.la
modifying entry "cn=module{0},cn=config"Otherwise, use ldapadd. Replace the highlighted portion with what is relevant to your environment. If you aren’t sure where your modules are located, consult the table below.
[root@ldap ~]# ldapadd -Y EXTERNAL -Q -H ldapi:///
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModulePath: /opt/openldap-current/libexec/openldap
olcModuleLoad: auditlog.la
adding new entry "cn=module,cn=config"| OS | PATH |
|---|---|
| CentOS 7 | /usr/lib64/openldap |
| openSUSE | /usr/lib64/openldap |
| Debian (Stretch) | /usr/lib/ldap |
| FreeBSD | /usr/local/libexec/openldap |
| Source (Tyler’s Guides) | /opt/openldap-current/libexec/openldap |
| Source (default) | /usr/local/libexec/openldap |
Apply the Overlay
Use ldapadd to create an entry in your configuration directory with the overlay configuration. You may need to adjust the highlighted portions. Make sure slapd can write to the file path specified by the olcAuditlogFile attribute.
# ldapadd -Q -Y EXTERNAL -H ldapi:///
dn: olcOverlay=auditlog,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /var/log/openldap/auditlog.ldifTest the Configuration
To test the configuration, make any change to your directory. Even a password change will cause a log entry to be created. E.g.
# ldappasswd -W -S -H ldapi:/// -x -D \
uid=testuser,ou=users,dc=tylersguides,dc=com
New password:
Re-enter new password:
Enter LDAP Password:Now check to see if the log file was created:
# pwd
/var/log/openldap
# ls -l
total 4
-rw-r--r-- 1 openldap openldap 631 Sep 12 17:39 auditlog.ldifLet’s take a look at the log file’s contents:
# cat auditlog.ldif
# modify 1568324350 dc=tylersguides,dc=com uid=testuser,ou=users,dc=tylersguides,dc=com PATH=/opt/openldap-2.4.47/var/run/ldapi conn=1005
dn: uid=testuser,ou=users,dc=tylersguides,dc=com
changetype: modify
replace: userPassword
userPassword:: e1NTSEE1MTJ9bkMwelVSVTBiUU1yWHhnNUUxS1h3UUtadUhncm5veithQldLc
VpOV04wVC9ySWo4N0ZvR1Fvd2FUbk96emttNG9pWlFFa2l2Z0ZwQW1rUytmcFdwbUNCOC9JVExt
UnRD
-
replace: entryCSN
entryCSN: 20190912213910.884216Z#000000#000#000000
-
replace: modifiersName
modifiersName: uid=testuser,ou=users,dc=tylersguides,dc=com
-
replace: modifyTimestamp
modifyTimestamp: 20190912213910Z
-
# end modify 1568324350Each change entry begins with a line that starts with # modify time_in_seconds_since_the_epoch, the dn of the entry that made the change, and finally the connection used by the client. The last line of a change entry is # end modify time_in_seconds_since_the_epoch. Between that is the LDIF data you would use if you were actually making the change with ldapmodify or ldapadd along with some metadata attributes that are only writable by the server itself.
The only metadata entry that most folks probably don’t find somewhat self explanatory is entryCSN. This is the change number. Replicated databases use it to keep track of which entries have been replicated.
If you want to use audit log entries as templates for creating new entries or making changes, make sure to omit the following attributes, as they are only writable by the server itself:
- structuralObjectClass
- entryUUID
- creatorsName
- createTimestamp
- entryCSN
- modifiersName
- modifyTimestamp
If you try to manually add one of the meta data attributes as shown below, you will receive an error message:
# ldapadd -Y EXTERNAL -H ldapi:/// -Q
dn: cn=testgroup7,ou=groups,dc=tylersguides,dc=com
changetype: add
objectClass: posixGroup
cn: testgroup7
gidNumber: 5007
memberUid: testuser
structuralObjectClass: posixGroup
adding new entry "cn=testgroup7,ou=groups,dc=tylersguides,dc=com"
ldap_add: Constraint violation (19)
additional info: structuralObjectClass: no user modification allowed