mail us  |  mail this page

contact us
training  | 
tech stuff  | 

Chapter 6 OpenLDAP accesslog overlay

The accesslog overlay is used to keep track of all or selected operations on a particular DIT (the target DIT) by writing details of the operations as entries to another DIT (the accesslog DIT). The accesslog DIT can be searched using standard LDAP queries. Accesslog overlay parameters control whether to log all or a subset of LDAP operations (logops) on the target DIT, to save related information such as the previous contents of attributes or entries (logold and logoldattr ) and when to remove log entries from the accesslog DIT. Accesslog DIT entries are stored using objectClasses and attributes in a specific audit schema.

While the overlay can create a general purpose accesslog DIT which may be used as, for instance, an LDAP operational or audit log, it can also be used specifically by the syncrepl directive for delta replication or delta synchronization. In this latter case the accesslog DIT, because it is configured to contain only the LDAP change operations performed on the target DIT, provides a dense record of attribute level changes to the target DIT. In normal syncrepl synchronization when changes are made to any entry's attribute in the target DIT the entire entry is transferred during a replication cycle. When syncrepl is used with an accesslog DIT only those attribute changes (together with their associated operational attributes such as entryCSN etc.) need be transferred during the replication cycle.

Usage Overview

The accesslog overlay is invoked within the database section of the target DIT - this creates a binding from the target DIT to a specific acceslog DIT (and means that multiple accesslog DITs can also appear in a single LDAP server). The accesslog DIT is then defined as a separate database section and if the accesslog DIT is to be used for delta replication purposes it must be defined as a provider through use of the syncprov overlay. To illustrate:

# slapd.conf global parameters
# target DIT database section 
database bdb
suffix "dc=example,dc=com"
# indicates this target DIT uses accesslogging
overlay accesslog
# defines the accesslog DIT being used for this target DIT
logdb "cn=accesslogname"
# other directives as required
# syncprov required if target DIT is to replicated
# with syncrepl
overlay syncprov

# accesslog DIT
database bdb
# suffix name is always same as logdb 
# of associated target DIT
suffix "cn=accesslogname"
# required if delta syncrepl to be used
overlay syncprov

Note: When used in a syncrepl delta synchronization configuration both the target DIT and the accesslog DIT must be syncrepl providers (overlay syncprov). This is required to allow the synchronization routines to select either of the DITs as a target, for example, if the syncrepl consumer is empty then the target DIT is required for initial synchonization - thereafter the accesslog DIT will normally be used.

Detailed delta replication configurations.

Configuration Directives

These slapd.conf options apply to the Access Logging overlay. They should appear after the overlay accesslog directive.

logdb Directive

logdb suffix

Defines the suffix of the accesslog DIT to be used for storing the log records that relate to the database section in which the overlay accesslog directive appears (the target DIT). An accesslog DIT may be defined for one or more database section (target DITs) each of which would reference a different accesslog suffix. The accesslog DIT must be defined elsewhere in the configuration (using another database directive and section). The access to control for the accesslog DIT definition should be limited only to that DIT. The overlay will automatically create the suffix entry in the accesslog DIT and thus an LDIF file is not required to initialise it. Each operation stored in the accesslog DIT will be added as a child entry of the suffix entry. Example:

# slapd.conf fragment
# target DIT
database bdb
suffix "dc=example,dc=com"
overlay accesslog
logdb "cn=mylog"

# accesslog DIT
database bdb
suffix "cn=mylog"

logops Directive

logops operations

Defines which types of operations on the target DIT to log to the accesslog DIT in a space separated list. The valid operation types are abandon, add, bind, compare, delete, extended, modify, modrdn, search, and unbind. Aliases may be used for common sets of operations:

writes - add, delete, modify, modrdn
reads - compare, search
session - abandon, bind, unbind
all  -  all operations

When used for delta-synchronization operations typically only operations which change the DIT are logged thus only writes is used. As may be seen from the list of operation types comprehensive audit logging may also be generated by this overlay. Examples:

# when used with delta synchronization
logops writes

# comprehensive logging
logops writes reads session
# OR 
logops all

# only selected operations
logops delete add bind

logold Directive

logold filter

Defines a filter for matching against Deleted and Modified entries. If the entry matches the filter, the old contents of the entry will be logged along with the current operation. This features is not used by delta-synchronization but may be a crucial requirement if the accesslog is used for auditing. Example:

# on Delete or Modify operations log contents of inetorgperson 
# which has a uid attribute before the operation
logold (&(objectclass=inetorgperson)(uid=*))

logoldattr Directive

logoldattr attr [...]

Defines a list of attributes whose previous contents are always logged during Modify and ModRDN requests. By default only the new contents of attributes changed during a Modify operation will be logged and no attributes are logged for ModRDN requests. Not used for delta-synchronization. Example:

# always save the current contents of uid and cn before
# any modify or modRDN operation
logoldattr uid cn

logpurge Directive

logpurge age interval

Defines both the maximum age for log entries to be retained in the database and how often to scan the database for old entries. Bothage and interval are specified as a time span in days, hours, minutes, and seconds. The time format is [ddd+]hh:mm[:ss], for example, the days and seconds components are optional but hours and minutes are required. Except for days, which can be up to 5 digits, each numeric field must be exactly two digits. Example:

# the log database will be scanned every day
# entries older than two days will be deleted.
logpurge 2+00:00 1+00:00

When using a log database that supports ordered indexing on generalizedTime attributes, specifying an eq index on the reqStart attribute will increase the performance of purge operations.

logsuccess Directive

logsuccess TRUE | FALSE

If set to TRUE then accesslog entries will only be logged for successful requests, that is, requests that produce a result code of 0 (LDAP_SUCCESS). If FALSE, accesslog entries are added for defined operations irrespective of the result code. The default is FALSE. For use with delta-synchronization logsuccess must be set TRUE.

Configuration Examples:

# slapd.conf fragment
# global section
# definition of target DIT
database bdb
suffix dc=example,dc=com
# defines a general purpose audit log containing
# all operation (including failed ones)
# on this target DIT
overlay accesslog
logdb "cn=auditlog"
logops writes reads
# read log every 5 days and purge entries
# when older than 30 days
logpurge 30+00:00 5+00:00
# optional - saves the previous contents of
# person objectclass before performing a write operation
logold (objectclass=person)
# if only specific attributes are required, logoldattr 
# should be used
logoldattr uid cn

# definition of accesslog DIT
database bdb
suffix "cn=auditlog"
index reqStart eq
# ACL to permit specific client searching
access to *
by dn.base="cn=admin,dc=example,dc=com" read

Example provider configuration when used with delta synchronization:

# slapd.conf fragment
# global section
# definition of target DIT
database bdb
suffix dc=example,dc=com
# defines a log suitable for delta syncrepl use
# logs only successful operations that modify the
# dit contents on this target DIT
overlay accesslog
logdb "cn=deltalog"
logops writes
# only log successful operations
# failed writes do not change the DIT
logsuccess TRUE
# examine the log every day and purge entries over two days old.
logpurge 2+00:00 1+00:00

# definition of accesslog DIT
database bdb
suffix "cn=deltalog"

# ACL to permit delta sync searching
# this DN must be the same as the binddn parameter
# of the consumers syncrepl directive
access to *
by dn.base="cn=admin,dc=example,dc=com" read

AccessLog SCHEMA

The accesslog overlay used the following specialized schema. The schema is loaded in binary format with accesslog overlay and therefore is not available as a standalone schema. It publication is designed to enable search queries to be constructed to examine the accesslog DIT content.

There is a basic audit Objectclass from which two additional objectclasses, auditReadObject and auditWriteObject are derived. Objectclasses for each type of LDAP operation are further derived from these classes. This object class hierarchy is designed to allow flexible yet efficient searches of the log based on either a specific operation type's class, or on more general classifications. The definition of the auditObject class is as follows:

  NAME 'auditObject'
  DESC 'OpenLDAP request auditing'
  MUST ( reqStart $ reqType $ reqSession )
  MAY ( reqDN $ reqAuthzID $ reqControls $ reqRespControls 
   $ reqEnd $ reqResult $ reqMessage $ reqReferral ) )
# Note that all of the OIDs used in the logging schema currently reside under 
# the OpenLDAP Experimental branch. It is anticipated that they will migrate
# to a Standard branch in the future.
# An overview of the attributes follows: 
# reqStart and reqEnd provide the start and end time of the operation, respectively.
# They use generalizedTime syntax.
# The reqStart attribute is also used  as the RDN for each log entry.
# The  reqType attribute is a simple string containing the type of operation 
# being logged, e.g. add, delete, search, etc. For extended operations, the 
# type also includes the OID of the extended operation, e.g.:
#  extended(

# The reqSession attribute is an implementation-specific identifier that is
# common to all the operations associated with the same LDAP session. 
# Currently this is slapd's internal connection ID, stored in decimal.
# The reqDN attribute is the distinguishedName of the target of the operation. 
# E.g., for a Bind  request, this is the Bind DN. For an Add request, this is 
# the DN of the entry being added. For a Search request, this is the base DN 
# of the search.
# The reqAuthzID attribute is the distinguishedName of the user that performed
# the operation. This will usually be the same name as was established at the
# start of a session by a Bind request (if any) but may be altered in various
# circumstances.
# The reqControls and reqRespControls attributes carry any controls sent by the
# client on the request and returned by the server in the response, respectively.
# The attribute values are just  uninterpreted octet strings.
# The reqResult attribute is the numeric LDAP result code of the operation, 
# indicating either success or a particular LDAP error code. An error code may 
# be accompanied by a text error message which will be recorded in the reqMessage
# attribute.
# The reqReferral attribute carries any referrals that were returned with the 
# result of the request.
# Operation-specific  classes are defined with additional attributes to carry 
# all of the relevant parameters associated with the operation:
  NAME 'auditAbandon'
  DESC 'Abandon operation'
  SUP auditObject STRUCTURAL
  MUST reqId )

# For the Abandon operation the reqId attribute contains the message ID of the
# request that was abandoned.
  NAME 'auditAdd'
  DESC 'Add operation'
  SUP auditWriteObject STRUCTURAL
  MUST reqMod )

# The Add class inherits from the auditWriteObject class. The Add and Modify
# classes are very similar. The reqMod attribute carries all of the attributes
# of the original entry being added. (Or in the case of a Modify operation, 
# all of the modifications being performed.) The values are formatted as:
#  attribute:<+|-|=|#> [ value]
# Where '+' indicates an Add of a value, '-' for Delete, '=' for Replace, 
# and '#' for Increment. In an Add operation, all of th reqMod values 
# will have the '+' designator.
  NAME 'auditBind'
  DESC 'Bind operation'
  SUP auditObject STRUCTURAL
  MUST ( reqVersion $ reqMethod ) )

# The Bind class includes the reqVersion attribute which contains the LDAP
# protocol version specified in the Bind as well as the reqMethod attribute 
# which contains the Bind Method used in the Bind. This will be the string 
# SIMPLE for LDAP Simple Binds or SASL(mech) for SASL Binds. Note that unless
# configured as a global overlay, only Simple Binds using DNs that reside in
# the current database will be logged:
  NAME 'auditCompare'
  DESC 'Compare operation'
  SUP auditObject STRUCTURAL
  MUST reqAssertion )
# For the Compare operation the reqAssertion attribute carries the
# Attribute Value Assertion used in the compare request.
  NAME 'auditDelete'
  DESC 'Delete operation'
  SUP auditWriteObject STRUCTURAL
  MAY reqOld )

# The Delete operation needs no further parameters. However, the reqOld
# attribute may optionally be used to record the contents of the entry
# prior to its deletion. The values are formatted as:
#   attribute: value
# The reqOld attribute is only populated if the entry being deleted
# matches the configured logold filter.
  NAME 'auditModify'
  DESC 'Modify operation'
  SUP auditWriteObject STRUCTURAL
  MAY reqOld 
  MUST reqMod )

# The Modify operation contains a description o modifications in the
# reqMod attribute, which was already described above in the Add 
# operation. It may optionally contain the previous contents of  any  
# modified attributes in the reqOld attribute, using the same format as 
# described above for the Delete operation. The reqOld attribute is only 
# populated if the entry being modified matches the configured logold filter.
  NAME 'auditModRDN'
  DESC 'ModRDN operation'
  SUP auditWriteObject STRUCTURAL
  MUST ( reqNewRDN $ reqDeleteOldRDN )
  MAY ( reqNewSuperior $ reqOld ) )

# The ModRDN class uses the reqNewRDN attribute to carry the new RDN of
# the request. The reqDeleteOldRDN attribute is a Boolean value  showing
# TRUE if the old RDN was deleted from the entry, or FALSE if the old RDN
# was preserved. The reqNewSuperior attribute carries the DN of the new
# parent entry if the request specified the new parent. The reqOld
# attribute is only populated if the entry being modified matches the
# configured logold filter and contains attributes in the logoldattr
# list.
  NAME 'auditSearch'
  DESC 'Search operation'
  SUP auditReadObject STRUCTURAL
  MUST ( reqScope $ reqDerefAliases $ reqAttrsOnly )
  MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $
    reqTimeLimit ) )

# For the Search class the reqScope attribute contains the scope of the
# original search request, using the values specified for the LDAP URL
# format. I.e. base, one, sub, or subord. The reqDerefAliases attribute
# is on of never, finding, searching, or always, denoting how aliases
# will be processed during the search. The reqAttrsOnly attribute is a
# Boolean value showing TRUE if only attribute names were requested, or
# FALSE if attributes and their values were requested. The reqFilter
# attribute carries the filter used in the search request. The reqAttr
# attribute lists the requested attributes if specific attributes were
# requested. The reqEntries attribute is the integer count of how many
# entries were returned by this search request. The reqSizeLimit and
# reqTimeLimit attributes indicate what limits were requested on the
# search operation.
  NAME 'auditExtended'
  DESC 'Extended operation'
  SUP auditObject STRUCTURAL
  MAY reqData )

# The Extended class represents an LDAP Extended Operation. As noted
# above, the actual OID of the operation is included in the reqType
# attribute of the parent class. If any optional data was provided with
# the request, it will be contained in the reqData attribute as an 
# uninterpreted octet string.

Up Arrow

Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.


tech info
guides home
1 objectives
big picture
2 concepts
3 ldap objects
4 install ldap
5 samples
6 configuration
7 replica & refer
8 ldif
9 protocol
10 ldap api
11 howtos
12 trouble
13 performance
14 ldap tools
15 security
notes & info
ldap resources
rfc's & x.500
ldap objects
change log

Creative Commons License
This work is licensed under a Creative Commons License.

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox




share page via facebook tweet this page


email us Send to a friend feature print this page Decrease font size Increase font size Display full width page



Debian Linux


GNU-Free SW Foundation


Open Source Initiative
Creative Commons


Ibiblio - Library
Open Book Project
Open Directory


CSS Technology SPF Record Conformant Domain
Copyright © 1994 - 2017 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
Hosted by
web-master at zytrax
Page modified: October 21 2015.