Section (5) slapo-accesslog
slapo−accesslog — Access Logging overlay to slapd
The Access Logging overlay can be used to record all accesses to a given backend database on another database. This allows all of the activity on a given database to be reviewed using arbitrary LDAP queries, instead of just logging to local flat text files. Configuration options are available for selecting a subset of operation types to log, and to automatically prune older log records from the logging database. Log records are stored with audit schema (see below) to assure their readability whether viewed as LDIF or in raw form.
options apply to the Access Logging overlay. They should
appear after the
- logdb <suffix>
Specify the suffix of a database to be used for storing the log records. The specified database must be defined elsewhere in the configuration. The access controls on the log database should prevent general access. The suffix entry of the log database will be created automatically by this overlay. The log entries will be generated as the immediate children of the suffix entry.
- logops <operations>
Specify which types of operations to log. The valid operation types are abandon, add, bind, compare, delete, extended, modify, modrdn, search, and unbind. Aliases for common sets of operations are also available:
add, delete, modify, modrdn
abandon, bind, unbind
- logbase <operations> <baseDN>
Specify a set of operations that will only be logged if they occur under a specific subtree of the database. The operation types are as above for the
logopssetting, and delimited by a _zsingle_quotesz_|_zsingle_quotesz_ character.
- logold <filter>
Specify a filter for matching against Deleted and Modified entries. If the entry matches the filter, the old contents of the entry will be logged along with the current request.
- logoldattr <attr> ...
Specify a list of attributes whose old contents are always logged in Modify and ModRDN requests. Usually only the contents of attributes that were actually modified will be logged; by default no old attributes are logged for ModRDN requests.
- logpurge <age> <interval>
Specify the maximum age for log entries to be retained in the database, and how often to scan the database for old entries. Both the
intervalare specified as a time span in days, hours, minutes, and seconds. The time format is [ddd+]hh:mm[:ss] i.e., the days and seconds components are optional but hours and minutes are required. Except for days, which can be up to 5 digits, each numeric field must be exactly two digits. For example
- logpurge 2+00:00 1+00:00
would specify that the log database should be scanned every day for old entries, and entries older than two days should be deleted. When using a log database that supports ordered indexing on generalizedTime attributes, specifying an eq index on the
reqStartattribute will greatly benefit the performance of the purge operation.
- logsuccess TRUE | FALSE
If set to TRUE then log records will only be generated for successful requests, i.e., requests that produce a result code of 0 (LDAP_SUCCESS). If FALSE, log records are generated for all requests whether they succeed or not. The default is FALSE.
database bdb suffix dc=example,dc=com ... overlay accesslog logdb cn=log logops writes reads logbase search|compare ou=testing,dc=example,dc=com logold (objectclass=person) database bdb suffix cn=log ... index reqStart eq access to * by dn.base=cn=admin,dc=example,dc=com read
overlay utilizes the audit schema described herein. This
schema is specifically designed for
accesslog auditing and is not
intended to be used otherwise. It is also noted that the
schema described here is a work
progress, and hence subject
to change without notice. The schema is loaded automatically
by the overlay.
The schema includes a number of object classes and associated attribute types as described below.
There is a basic
auditObject class from which
two additional classes,
are derived. Object classes for each type of LDAP operation
are further derived from these classes. This object class
hierarchy is designed to allow flexible yet efficient
searches of the log based on either a specific operation
type_zsingle_quotesz_s class, or on more general classifications. The
definition of the
auditObject class is as
( 126.96.36.199.4.1.4203.6188.8.131.52.1 NAME _zsingle_quotesz_auditObject_zsingle_quotesz_ DESC _zsingle_quotesz_OpenLDAP request auditing_zsingle_quotesz_ SUP top STRUCTURAL MUST ( reqStart $ reqType $ reqSession ) MAY ( reqDN $ reqAuthzID $ reqControls $ reqRespControls $ reqEnd $ reqResult $ reqMessage $ reqReferral ) )
Note that all of the OIDs used in the logging schema currently reside under the OpenLDAP Experimental branch. It is anticipated that they will migrate to a Standard branch in the future.
An overview of the attributes follows:
reqEnd provide the start and
end time of the operation, respectively. They use
generalizedTime syntax. The
reqStart attribute is also
used as the RDN for each log entry.
attribute is a simple string containing the type of operation
being logged, e.g.
search, etc. For extended
operations, the type also includes the OID of the extended
attribute is an implementation-specific identifier that is
common to all the operations associated with the same LDAP
session. Currently this is slapd_zsingle_quotesz_s internal connection ID,
stored in decimal.
attribute is the distinguishedName of the target of the
operation. E.g., for a Bind request, this is the Bind DN. For
an Add request, this is the DN of the entry being added. For
a Search request, this is the base DN of the search.
attribute is the distinguishedName of the user that performed
the operation. This will usually be the same name as was
established at the start of a session by a Bind request (if
any) but may be altered in various circumstances.
attributes carry any controls sent by the client on the
request and returned by the server in the response,
respectively. The attribute values are just uninterpreted
attribute is the numeric LDAP result code of the operation,
indicating either success or a particular LDAP error code. An
error code may be accompanied by a text error message which
will be recorded in the
attribute carries any referrals that were returned with the
result of the request.
Operation-specific classes are defined with additional attributes to carry all of the relevant parameters associated with the operation:
( 184.108.40.206.4.1.4203.6220.127.116.11.4 NAME _zsingle_quotesz_auditAbandon_zsingle_quotesz_ DESC _zsingle_quotesz_Abandon operation_zsingle_quotesz_ SUP auditObject STRUCTURAL MUST reqId )
attribute contains the message ID of the request that was
( 18.104.22.168.4.1.4203.622.214.171.124.5 NAME _zsingle_quotesz_auditAdd_zsingle_quotesz_ DESC _zsingle_quotesz_Add operation_zsingle_quotesz_ SUP auditWriteObject STRUCTURAL MUST reqMod )
inherits from the
auditWriteObject class. The
Add and Modify classes are very similar. The
reqMod attribute carries all
of the attributes of the original entry being added. (Or in
the case of a Modify operation, all of the modifications
being performed.) The values are formatted as
- attribute:<+|−|=|#> [ value]
Where _zsingle_quotesz_+_zsingle_quotesz_ indicates an Add of a value, _zsingle_quotesz_−_zsingle_quotesz_ for Delete, _zsingle_quotesz_=_zsingle_quotesz_ for Replace, and _zsingle_quotesz_#_zsingle_quotesz_ for Increment. In an Add operation, all of the reqMod values will have the _zsingle_quotesz_+_zsingle_quotesz_ designator.
( 126.96.36.199.4.1.4203.6188.8.131.52.6 NAME _zsingle_quotesz_auditBind_zsingle_quotesz_ DESC _zsingle_quotesz_Bind operation_zsingle_quotesz_ SUP auditObject STRUCTURAL MUST ( reqVersion $ reqMethod ) )
reqVersion attribute which
contains the LDAP protocol version specified in the Bind as
well as the
reqMethod attribute which
contains the Bind Method used in the Bind. This will be the
SIMPLE for LDAP Simple
SASL(<mech>) for SASL
Binds. Note that unless configured as a global overlay, only
Simple Binds using DNs that reside in the current database
will be logged.
( 184.108.40.206.4.1.4203.6220.127.116.11.7 NAME _zsingle_quotesz_auditCompare_zsingle_quotesz_ DESC _zsingle_quotesz_Compare operation_zsingle_quotesz_ SUP auditObject STRUCTURAL MUST reqAssertion )
carries the Attribute Value Assertion used in the compare
( 18.104.22.168.4.1.4203.622.214.171.124.8 NAME _zsingle_quotesz_auditDelete_zsingle_quotesz_ DESC _zsingle_quotesz_Delete operation_zsingle_quotesz_ SUP auditWriteObject STRUCTURAL MAY reqOld )
operation needs no further parameters. However, the
may optionally be used to record the contents of the entry
prior to its deletion. The values are formatted as
- attribute: value
attribute is only populated if the entry being deleted
matches the configured
( 126.96.36.199.4.1.4203.6188.8.131.52.9 NAME _zsingle_quotesz_auditModify_zsingle_quotesz_ DESC _zsingle_quotesz_Modify operation_zsingle_quotesz_ SUP auditWriteObject STRUCTURAL MAY reqOld MUST reqMod )
operation contains a description of modifications in the
which was already described above in the Add operation. It
may optionally contain the previous contents of any modified
attributes in the
reqOld attribute, using the
same format as described above for the Delete operation. The
reqOld attribute is
only populated if the entry being modified matches the
( 184.108.40.206.4.1.4203.6220.127.116.11.10 NAME _zsingle_quotesz_auditModRDN_zsingle_quotesz_ DESC _zsingle_quotesz_ModRDN operation_zsingle_quotesz_ SUP auditWriteObject STRUCTURAL MUST ( reqNewRDN $ reqDeleteOldRDN ) MAY ( reqNewSuperior $ reqOld ) )
attribute to carry the new RDN of the request. The
reqDeleteOldRDN attribute is
a Boolean value showing
the old RDN was deleted from the entry, or
FALSE if the old RDN was preserved. The
attribute carries the DN of the new parent entry if the
request specified the new parent. The
reqOld attribute is only
populated if the entry being modified matches the configured
logold filter and
contains attributes in the
( 18.104.22.168.4.1.4203.622.214.171.124.11 NAME _zsingle_quotesz_auditSearch_zsingle_quotesz_ DESC _zsingle_quotesz_Search operation_zsingle_quotesz_ SUP auditReadObject STRUCTURAL MUST ( reqScope $ reqDerefAliases $ reqAttrsOnly ) MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $ reqTimeLimit ) )
attribute contains the scope of the original search request,
using the values specified for the LDAP URL format. I.e.
reqDerefAliases attribute is
always, denoting how aliases
will be processed during the search. The
reqAttrsOnly attribute is a
Boolean value showing
only attribute names were requested, or
FALSE if attributes and their values were
reqFilter attribute carries
the filter used in the search request. The
reqAttr attribute lists the
requested attributes if specific attributes were requested.
attribute is the integer count of how many entries were
returned by this search request. The
indicate what limits were requested on the search
( 126.96.36.199.4.1.4203.6188.8.131.52.12 NAME _zsingle_quotesz_auditExtended_zsingle_quotesz_ DESC _zsingle_quotesz_Extended operation_zsingle_quotesz_ SUP auditObject STRUCTURAL MAY reqData )
class represents an LDAP Extended Operation. As noted above,
the actual OID of the operation is included in the
reqType attribute of the
parent class. If any optional data was provided with the
request, it will be contained in the
reqData attribute as an
uninterpreted octet string.
The Access Log implemented by this overlay may be used for a variety of other tasks, e.g. as a ChangeLog for a replication mechanism, as well as for security/audit logging purposes.