Content-type: text/html Manpage of SLAPO-ACCESSLOG

SLAPO-ACCESSLOG

Section: File Formats (5)
Updated: 2005/10/13
Index Return to Main Contents
 

NAME

slapo-accesslog - Access Logging overlay  

SYNOPSIS

/usr/local/etc/openldap/slapd.conf  

DESCRIPTION

The Access Logging overlay can be used to record all accesses to a given backend database on another database. This allows all of the activity on a given database to be reviewed using arbitrary LDAP queries, instead of just logging to local flat text files. Configuration options are available for selecting a subset of operation types to log, and to automatically prune older log records from the logging database. Log records are stored with a custom schema to assure their readability whether viewed as LDIF or in raw form.  

CONFIGURATION

These slapd.conf options apply to the Access Logging overlay. They should appear after the overlay directive and before any subsequent database directive.
logdb <suffix>
Specify the suffix of a database to be used for storing the log records. The specified database must have already been configured in a prior section of the config file. The suffix entry of the database must also already exist. The log entries will be generated as the immediate children of the suffix entry.
logops <operations>
Specify which types of operations to log. The valid operation types are abandon, add, bind, compare, delete, extended, modify, modrdn, search, and unbind. Aliases for common sets of operations are also available:
writes
add, delete, modify, modrdn
reads
compare, search
session
abandon, bind, unbind
all
all operations
logpurge <age> <interval>
Specify the maximum age for log entries to be retained in the database, and how often to scan the database for old entries. Both the age and interval are specified as a time span in days, hours, minutes, and seconds. The time format is [dd+]hh:mm[:ss] i.e., the days and seconds components are optional but hours and minutes are required. Each numeric field must be exactly two digits. For example
logpurge 02+00:00 01+00:00
would specify that the log database should be scanned every day for old entries, and entries older than two days should be deleted. When using a log database that supports ordered indexing on generalizedTime attributes, specifying an eq index on the reqStart attribute will greatly benefit the performance of the purge operation.

 

EXAMPLES

        database bdb
        suffix cn=log
        ...
        index reqStart eq

        database bdb
        suffix dc=example,dc=com
        ...
        overlay accesslog
        logdb cn=log
        logops writes reads

 

OBJECT CLASSES

The accesslog overlay defines a number of object classes for use in the logs. There is a basic auditObject class from which two additional classes, auditReadObject and auditWriteObject are derived. Object classes for each type of LDAP operation are further derived from these classes. This object class hierarchy is designed to allow flexible yet efficient searches of the log based on either a specific operation type's class, or on more general classifications. The definition of the auditObject class is as follows:

( 1.3.6.1.4.1.4203.666.11.5.2.1
    NAME 'auditObject'
    DESC 'OpenLDAP request auditing'
    SUP top STRUCTURAL
    MUST ( reqStart $ reqType $ reqSession )
    MAY ( reqDN $ reqAuthzID $ reqControls $ reqRespControls $
        reqEnd $ reqResult $ reqMessage ) )
Note that all of the OIDs used in the logging schema currently reside under the OpenLDAP Experimental branch. It is anticipated that thay will migrate to a Standard branch in the future.

An overview of the attributes follows: reqStart and reqEnd provide the start and end time of the operation, respectively. They use generalizedTime syntax. The reqStart attribute is also used as the RDN for each log entry.

The reqType attribute is a simple string containing the type of operation being logged, e.g. add, delete, search, etc. For extended operations, the type also includes the OID of the extended operation, e.g. extended(1.2.3.4.1)

The reqSession attribute is an implementation-specific identifier that is common to all the operations associated with the same LDAP session. Currently this is slapd's internal connection ID, stored in decimal.

The reqDN attribute is the distinguishedName of the target of the operation. E.g., for a Bind request, this is the Bind DN. For an Add request, this is the DN of the entry being added. For a Search request, this is the base DN of the search.

The reqAuthzID attribute is the distinguishedName of the user that performed the operation. This will usually be the same name as was established at the start of a session by a Bind request (if any) but may be altered in various circumstances.

The reqControlsand reqRespControls attributes carry any controls sent by the client on the request and returned by the server in the response, respectively. The attribute values are just uninterpreted octet strings.

The reqResult attribute is the numeric LDAP result code of the operation, indicating either success or a particular LDAP error code. An error code may be accompanied by a text error message which will be recorded in the reqMessage attribute.

Operation-specific classes are defined with additional attributes to carry all of the relevant parameters associated with the operation:

( 1.3.6.1.4.1.4203.666.11.5.2.4
    NAME 'auditAbandon'
    DESC 'Abandon operation'
    SUP auditObject STRUCTURAL
    MUST reqId )
For the Abandon operation the reqId attribute contains the message ID of the request that was abandoned.

( 1.3.6.1.4.1.4203.666.11.5.2.5
    NAME 'auditAdd'
    DESC 'Add operation'
    SUP auditWriteObject STRUCTURAL
    MUST reqMod )
The Add class inherits from the auditWriteObject class. The Add and Modify classes are essentially the same. The reqMod attribute carries all of the attributes of the original entry being added. (Or in the case of a Modify operation, all of the modifications being performed.) The values are formatted as
attribute:<+|-|=|#> [ value]
Where '+' indicates an Add of a value, '-' for Delete, '=' for Replace, and '#' for Increment. In an Add operation, all of the reqMod values will have the '+' designator.

( 1.3.6.1.4.1.4203.666.11.5.2.6
    NAME 'auditBind'
    DESC 'Bind operation'
    SUP auditObject STRUCTURAL
    MUST reqMethod )
The Bind class just adds the reqMethod attribute which contains the Bind Method used in the Bind. This will be the string SIMPLE for LDAP Simple Binds or SASL(<mech>) for SASL Binds. Note that unless configured as a global overlay, only Simple Binds using DNs that reside in the current database will be logged.

( 1.3.6.1.4.1.4203.666.11.5.2.7
    NAME 'auditCompare'
    DESC 'Compare operation'
    SUP auditObject STRUCTURAL
    MUST reqAssertion )
For the Compare operation the reqAssertion attribute carries the Attribute Value Assertion used in the compare request.

( 1.3.6.1.4.1.4203.666.11.5.2.8
    NAME 'auditModify'
    DESC 'Modify operation'
    SUP auditWriteObject STRUCTURAL
    MUST reqMod )
The Modify operation has already been described.

( 1.3.6.1.4.1.4203.666.11.5.2.9
    NAME 'auditModRDN'
    DESC 'ModRDN operation'
    SUP auditWriteObject STRUCTURAL
    MUST ( reqNewRDN $ reqDeleteOldRDN )
    MAY reqNewSuperior )
The ModRDN class uses the reqNewRDN attribute to carry the new RDN of the request. The reqDeleteOldRDN attribute is a Boolean value showing TRUE if the old RDN was deleted from the entry, or FALSE if the old RDN was preserved. The reqNewSuperior attribute carries the DN of the new parent entry if the request specified the new parent.

( 1.3.6.1.4.1.4203.666.11.5.2.10
    NAME 'auditSearch'
    DESC 'Search operation'
    SUP auditReadObject STRUCTURAL
    MUST ( reqScope $ reqAttrsOnly )
    MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $
          reqTimeLimit ) )
For the Search class the reqScope attribute contains the scope of the original search request, i.e. base, onelevel, subtree, or subordinate. The reqAttrsOnly attribute is a Boolean value showing TRUE if only attribute names were requested, or FALSE if attributes and their values were requested. The reqFilter attribute carries the filter used in the search request. The reqAttr attribute lists the requested attributes if specific attributes were requested. The reqEntries attribute is the integer count of how many entries were returned by this search request. The reqSizeLimit and reqTimeLimit attributes indicate what limits were requested on the search operation.

( 1.3.6.1.4.1.4203.666.11.5.2.11
    NAME 'auditExtended'
    DESC 'Extended operation'
    SUP auditObject STRUCTURAL
    MAY reqData )
The Extended class represents an LDAP Extended Operation. As noted above, the actual OID of the operation is included in the reqType attribute of the parent class. If any optional data was provided with the request, it will be contained in the reqData attribute as an uninterpreted octet string.

 

NOTES

The Access Log implemented by this overlay may be used for a variety of other tasks, e.g. as a ChangeLog for a replication mechanism, as well as for security/audit logging purposes.

 

FILES

/usr/local/etc/openldap/slapd.conf
default slapd configuration file
 

SEE ALSO

slapd.conf(5).

 

ACKNOWLEDGEMENTS

This module was written in 2005 by Howard Chu of Symas Corporation.

 

Index

NAME
SYNOPSIS
DESCRIPTION
CONFIGURATION
EXAMPLES
OBJECT CLASSES
NOTES
FILES
SEE ALSO
ACKNOWLEDGEMENTS
This document was created by man2html, using the manual pages.
Time: 07:24:59 GMT, October 27, 2005