The accesslog overlay is used to keep track of all or selected operations on a particular DIT (the target DIT) by writing details of the operations as entries to another DIT (the accesslog DIT). The accesslog DIT can be searched using standard LDAP queries. Accesslog overlay parameters control whether to log all or a subset of LDAP operations (logops) on the target DIT, to save related information such as the previous contents of attributes or entries (logold and logoldattr ) and when to remove log entries from the accesslog DIT. Accesslog DIT entries are stored using objectClasses and attributes in a specific audit schema.
While the overlay can create a general purpose accesslog DIT which may be used as, for instance, an LDAP operational or audit log, it can also be used specifically by the syncrepl directive for delta replication or delta synchronization. In this latter case the accesslog DIT, because it is configured to contain only the LDAP change operations performed on the target DIT, provides a dense record of attribute level changes to the target DIT. In normal syncrepl synchronization when changes are made to any entry's attribute in the target DIT the entire entry is transferred during a replication cycle. When syncrepl is used with an accesslog DIT only those attribute changes (together with their associated operational attributes such as entryCSN etc.) need be transferred during the replication cycle.
The accesslog overlay is invoked within the database section of the target DIT - this creates a binding from the target DIT to a specific acceslog DIT (and means that multiple accesslog DITs can also appear in a single LDAP server). The accesslog DIT is then defined as a separate database section and if the accesslog DIT is to be used for delta replication purposes it must be defined as a provider through use of the syncprov overlay. To illustrate:
# slapd.conf global parameters ... # target DIT database section database bdb suffix "dc=example,dc=com" ... # indicates this target DIT uses accesslogging overlay accesslog # defines the accesslog DIT being used for this target DIT logdb "cn=accesslogname" # other directives as required ... # syncprov required if target DIT is to replicated # with syncrepl overlay syncprov ... # accesslog DIT database bdb # suffix name is always same as logdb # of associated target DIT suffix "cn=accesslogname" ... # required if delta syncrepl to be used overlay syncprov ...
Note: When used in a syncrepl delta synchronization configuration both the target DIT and the accesslog DIT must be syncrepl providers (overlay syncprov). This is required to allow the synchronization routines to select either of the DITs as a target, for example, if the syncrepl consumer is empty then the target DIT is required for initial synchonization - thereafter the accesslog DIT will normally be used.
Detailed delta replication configurations.
These slapd.conf options apply to the Access Logging overlay. They should appear after the overlay accesslog directive.
Defines the suffix of the accesslog DIT to be used for storing the log records that relate to the database section in which the overlay accesslog directive appears (the target DIT). An accesslog DIT may be defined for one or more database section (target DITs) each of which would reference a different accesslog suffix. The accesslog DIT must be defined elsewhere in the configuration (using another database directive and section). The access to control for the accesslog DIT definition should be limited only to that DIT. The overlay will automatically create the suffix entry in the accesslog DIT and thus an LDIF file is not required to initialise it. Each operation stored in the accesslog DIT will be added as a child entry of the suffix entry. Example:
# slapd.conf fragment ... # target DIT database bdb suffix "dc=example,dc=com" ... overlay accesslog logdb "cn=mylog" ... # accesslog DIT database bdb suffix "cn=mylog" ...
Defines which types of operations on the target DIT to log to the accesslog DIT in a space separated list. The valid operation types are abandon, add, bind, compare, delete, extended, modify, modrdn, search, and unbind. Aliases may be used for common sets of operations:
writes - add, delete, modify, modrdn reads - compare, search session - abandon, bind, unbind all - all operations
When used for delta-synchronization operations typically only operations which change the DIT are logged thus only writes is used. As may be seen from the list of operation types comprehensive audit logging may also be generated by this overlay. Examples:
# when used with delta synchronization logops writes # comprehensive logging logops writes reads session # OR logops all # only selected operations logops delete add bind
Defines a filter for matching against Deleted and Modified entries. If the entry matches the filter, the old contents of the entry will be logged along with the current operation. This features is not used by delta-synchronization but may be a crucial requirement if the accesslog is used for auditing. Example:
# on Delete or Modify operations log contents of inetorgperson # which has a uid attribute before the operation logold (&(objectclass=inetorgperson)(uid=*))
logoldattr attr [...]
Defines a list of attributes whose previous contents are always logged during Modify and ModRDN requests. By default only the new contents of attributes changed during a Modify operation will be logged and no attributes are logged for ModRDN requests. Not used for delta-synchronization. Example:
# always save the current contents of uid and cn before # any modify or modRDN operation logoldattr uid cn
logpurge age interval
Defines both the maximum age for log entries to be retained in the database and how often to scan the database for old entries. Bothage and interval are specified as a time span in days, hours, minutes, and seconds. The time format is [ddd+]hh:mm[:ss], for example, the days and seconds components are optional but hours and minutes are required. Except for days, which can be up to 5 digits, each numeric field must be exactly two digits. Example:
# the log database will be scanned every day # entries older than two days will be deleted. logpurge 2+00:00 1+00:00
When using a log database that supports ordered indexing on generalizedTime attributes, specifying an eq index on the reqStart attribute will increase the performance of purge operations.
logsuccess TRUE | FALSE
If set to TRUE then accesslog entries will only be logged for successful requests, that is, requests that produce a result code of 0 (LDAP_SUCCESS). If FALSE, accesslog entries are added for defined operations irrespective of the result code. The default is FALSE. For use with delta-synchronization logsuccess must be set TRUE.
# slapd.conf fragment # global section ... # definition of target DIT database bdb suffix dc=example,dc=com ... # defines a general purpose audit log containing # all operation (including failed ones) # on this target DIT overlay accesslog logdb "cn=auditlog" logops writes reads # read log every 5 days and purge entries # when older than 30 days logpurge 30+00:00 5+00:00 # optional - saves the previous contents of # person objectclass before performing a write operation logold (objectclass=person) # if only specific attributes are required, logoldattr # should be used logoldattr uid cn # definition of accesslog DIT database bdb suffix "cn=auditlog" ... index reqStart eq # ACL to permit specific client searching access to * by dn.base="cn=admin,dc=example,dc=com" read
Example provider configuration when used with delta synchronization:
# slapd.conf fragment # global section ... # definition of target DIT database bdb suffix dc=example,dc=com ... # defines a log suitable for delta syncrepl use # logs only successful operations that modify the # dit contents on this target DIT overlay accesslog logdb "cn=deltalog" logops writes # only log successful operations # failed writes do not change the DIT logsuccess TRUE # examine the log every day and purge entries over two days old. logpurge 2+00:00 1+00:00 # definition of accesslog DIT database bdb suffix "cn=deltalog" ... # ACL to permit delta sync searching # this DN must be the same as the binddn parameter # of the consumers syncrepl directive access to * by dn.base="cn=admin,dc=example,dc=com" read
The accesslog overlay used the following specialized schema. The schema is loaded in binary format with accesslog overlay and therefore is not available as a standalone schema. It publication is designed to enable search queries to be constructed to examine the accesslog DIT content.
There is a basic audit Objectclass from which two additional objectclasses, auditReadObject and auditWriteObject are derived. Objectclasses for each type of LDAP operation are further derived from these classes. This object class hierarchy is designed to allow flexible yet efficient searches of the log based on either a specific operation type's class, or on more general classifications. The definition of the auditObject class is as follows:
( 184.108.40.206.4.1.4203.6220.127.116.11.1 NAME 'auditObject' DESC 'OpenLDAP request auditing' SUP top STRUCTURAL MUST ( reqStart $ reqType $ reqSession ) MAY ( reqDN $ reqAuthzID $ reqControls $ reqRespControls $ reqEnd $ reqResult $ reqMessage $ reqReferral ) ) # Note that all of the OIDs used in the logging schema currently reside under # the OpenLDAP Experimental branch. It is anticipated that they will migrate # to a Standard branch in the future. # An overview of the attributes follows: # reqStart and reqEnd provide the start and end time of the operation, respectively. # They use generalizedTime syntax. # The reqStart attribute is also used as the RDN for each log entry. # The reqType attribute is a simple string containing the type of operation # being logged, e.g. add, delete, search, etc. For extended operations, the # type also includes the OID of the extended operation, e.g.: # extended(18.104.22.168) # The reqSession attribute is an implementation-specific identifier that is # common to all the operations associated with the same LDAP session. # Currently this is slapd's internal connection ID, stored in decimal. # The reqDN attribute is the distinguishedName of the target of the operation. # E.g., for a Bind request, this is the Bind DN. For an Add request, this is # the DN of the entry being added. For a Search request, this is the base DN # of the search. # The reqAuthzID attribute is the distinguishedName of the user that performed # the operation. This will usually be the same name as was established at the # start of a session by a Bind request (if any) but may be altered in various # circumstances. # The reqControls and reqRespControls attributes carry any controls sent by the # client on the request and returned by the server in the response, respectively. # The attribute values are just uninterpreted octet strings. # The reqResult attribute is the numeric LDAP result code of the operation, # indicating either success or a particular LDAP error code. An error code may # be accompanied by a text error message which will be recorded in the reqMessage # attribute. # The reqReferral attribute carries any referrals that were returned with the # result of the request. # Operation-specific classes are defined with additional attributes to carry # all of the relevant parameters associated with the operation: ( 22.214.171.124.4.1.4203.6126.96.36.199.4 NAME 'auditAbandon' DESC 'Abandon operation' SUP auditObject STRUCTURAL MUST reqId ) # For the Abandon operation the reqId attribute contains the message ID of the # request that was abandoned. ( 188.8.131.52.4.1.4203.6184.108.40.206.5 NAME 'auditAdd' DESC 'Add operation' SUP auditWriteObject STRUCTURAL MUST reqMod ) # The Add class inherits from the auditWriteObject class. The Add and Modify # classes are very similar. The reqMod attribute carries all of the attributes # of the original entry being added. (Or in the case of a Modify operation, # all of the modifications being performed.) The values are formatted as: # attribute:<+|-|=|#> [ value] # Where '+' indicates an Add of a value, '-' for Delete, '=' for Replace, # and '#' for Increment. In an Add operation, all of th reqMod values # will have the '+' designator. ( 220.127.116.11.4.1.4203.618.104.22.168.6 NAME 'auditBind' DESC 'Bind operation' SUP auditObject STRUCTURAL MUST ( reqVersion $ reqMethod ) ) # The Bind class includes the reqVersion attribute which contains the LDAP # protocol version specified in the Bind as well as the reqMethod attribute # which contains the Bind Method used in the Bind. This will be the string # SIMPLE for LDAP Simple Binds or SASL(mech) for SASL Binds. Note that unless # configured as a global overlay, only Simple Binds using DNs that reside in # the current database will be logged: ( 22.214.171.124.4.1.4203.6126.96.36.199.7 NAME 'auditCompare' DESC 'Compare operation' SUP auditObject STRUCTURAL MUST reqAssertion ) # For the Compare operation the reqAssertion attribute carries the # Attribute Value Assertion used in the compare request. ( 188.8.131.52.4.1.4203.6184.108.40.206.8 NAME 'auditDelete' DESC 'Delete operation' SUP auditWriteObject STRUCTURAL MAY reqOld ) # The Delete operation needs no further parameters. However, the reqOld # attribute may optionally be used to record the contents of the entry # prior to its deletion. The values are formatted as: # attribute: value # The reqOld attribute is only populated if the entry being deleted # matches the configured logold filter. ( 220.127.116.11.4.1.4203.618.104.22.168.9 NAME 'auditModify' DESC 'Modify operation' SUP auditWriteObject STRUCTURAL MAY reqOld MUST reqMod ) # The Modify operation contains a description o modifications in the # reqMod attribute, which was already described above in the Add # operation. It may optionally contain the previous contents of any # modified attributes in the reqOld attribute, using the same format as # described above for the Delete operation. The reqOld attribute is only # populated if the entry being modified matches the configured logold filter. ( 22.214.171.124.4.1.4203.6126.96.36.199.10 NAME 'auditModRDN' DESC 'ModRDN operation' SUP auditWriteObject STRUCTURAL MUST ( reqNewRDN $ reqDeleteOldRDN ) MAY ( reqNewSuperior $ reqOld ) ) # The ModRDN class uses the reqNewRDN attribute to carry the new RDN of # the request. The reqDeleteOldRDN attribute is a Boolean value showing # TRUE if the old RDN was deleted from the entry, or FALSE if the old RDN # was preserved. The reqNewSuperior attribute carries the DN of the new # parent entry if the request specified the new parent. The reqOld # attribute is only populated if the entry being modified matches the # configured logold filter and contains attributes in the logoldattr # list. ( 188.8.131.52.4.1.4203.6184.108.40.206.11 NAME 'auditSearch' DESC 'Search operation' SUP auditReadObject STRUCTURAL MUST ( reqScope $ reqDerefAliases $ reqAttrsOnly ) MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $ reqTimeLimit ) ) # For the Search class the reqScope attribute contains the scope of the # original search request, using the values specified for the LDAP URL # format. I.e. base, one, sub, or subord. The reqDerefAliases attribute # is on of never, finding, searching, or always, denoting how aliases # will be processed during the search. The reqAttrsOnly attribute is a # Boolean value showing TRUE if only attribute names were requested, or # FALSE if attributes and their values were requested. The reqFilter # attribute carries the filter used in the search request. The reqAttr # attribute lists the requested attributes if specific attributes were # requested. The reqEntries attribute is the integer count of how many # entries were returned by this search request. The reqSizeLimit and # reqTimeLimit attributes indicate what limits were requested on the # search operation. ( 220.127.116.11.4.1.4203.618.104.22.168.12 NAME 'auditExtended' DESC 'Extended operation' SUP auditObject STRUCTURAL MAY reqData ) # The Extended class represents an LDAP Extended Operation. As noted # above, the actual OID of the operation is included in the reqType # attribute of the parent class. If any optional data was provided with # the request, it will be contained in the reqData attribute as an # uninterpreted octet string.
Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.
3 ldap objects
4 install ldap
7 replica & refer
10 ldap api
14 ldap tools
notes & info
rfc's & x.500
This work is licensed under a Creative Commons License.
If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox