4

Regarding to 'man slapo-auditlog' I should just need to add the following.

dn: olcOverlay=auditlog,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /tmp/auditlog.ldif

First the "olcOverlay=auditlog" is not installed by default on Centos 6. So i cant add this to anything. If I remove "changetype: add" I will get this error.

additional info: objectClass: value #1 invalid per syntax

I found out that I could create my own cn=module, and after that olcAuditLogConfig existed, and I could execute the above LDIF. But I still don't get any auditlogs.

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib64/openldap/
olcModuleLoad: auditlog.la

My LDAP-setup can be found here (now slightly modified on my own server)

How do I configure LDAP on Centos 6 for user authentication in the most secure and correct way?

Community
  • 1
Arlukin
  • 1,203
  • 6
  • 18
  • 27

2 Answers2

2

I have now got everything to work and I was very close to the solution. It was a permission problem. This is how you add the auditlog to openldap installed on Centos 6.

First enable the module.

ldapadd -H ldaps://ldap.example.net -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib64/openldap/
olcModuleLoad: auditlog.la
EOF

Setup a folder where ldap has permission to write.

mkdir slapd
chmod 755 /var/log/slapd/
chown ldap:ldap /var/log/slapd/
ls -alvhZ /var/log/slapd/

And then configure the olcAuditLogConfig overlay.

ldapadd -H ldaps://ldap.example.net -x -D "cn=admin,cn=config" -w secret << EOF
dn: olcOverlay=auditlog,olcDatabase={1}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /var/log/slapd/auditlog.log
EOF

Insert something to the database.

ldapadd -H ldaps://ldap.example.net -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=management11191,ou=group,dc=example,dc=net
cn: management11191
objectClass: posixGroup
gidNumber: 2005
memberUid: user1
memberUid: user3
EOF

And check the auditlog file, if you see any contents it works.

$ cat /var/log/slapd/auditlog.log
...
$ ls -alvhZ  /var/log/slapd/auditlog.log
-rw-r--r--. ldap ldap unconfined_u:object_r:slapd_log_t:s0 /var/log/slapd/auditlog.log
Arlukin
  • 1,203
  • 6
  • 18
  • 27
1

  1. You need to install the openldap-servers-overlays package:

    Name       : openldap-servers-overlays
Arch       : x86_64
Version    : 2.3.43
Release    : 12.el5_7.9
Size       : 358 k
Repo       : installed
Summary    : Overlays for OpenLDAP server.
URL        : http://www.openldap.org/
License    : OpenLDAP
Description: OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
           : Protocol) applications and development tools. LDAP is a set of
           : protocols for accessing directory services (usually phone book style
           : information, but other information is possible) over the Internet,
           : similar to the way DNS (Domain Name System) information is propagated
           : over the Internet.
           : 
           : This package contains overlay modules for OpenLDAP server daemon.

  2. Uncomment the auditlog module in slapd.conf:

    modulepath  /usr/lib64/openldap
moduleload auditlog.la

  3. Specify the auditlog file:

    database    bdb

overlay     auditlog
auditlog    /tmp/audit.log

suffix      "dc=domain,dc=com"
rootdn      "cn=Manager,dc=domain,dc=com"

  4. Modify/add some values to the attributes and take a look at the above log, you will see something like this:

    # modify 1319524581 dc=domain,dc=com cn=Manager,dc=domain,dc=com
dn: cn=xx,ou=yy,dc=domain,dc=com
changetype: modify
replace: initials
initials: Hai
initials: Do
-
replace: entryCSN
entryCSN: 20111025063621Z#000000#00#000000
-
replace: modifiersName
modifiersName: cn=Manager,dc=domain,dc=com
-
replace: modifyTimestamp
modifyTimestamp: 20111025063621Z
-
# end replace 1319524581
quanta
  • 50,327
  • 19
  • 152
  • 213
  • Looks like openldap-servers-overlays are only available in Centos 5. Look here ftp://ftp.sunet.se/pub/Linux/distributions/centos/5/updates/x86_64/RPMS/ and ftp://ftp.sunet.se/pub/Linux/distributions/centos/6/updates/x86_64/RPMS/... I think I'm close to a solution now, looks like a permission problem on my box. – Arlukin Oct 25 '11 at 11:02
  • Does `/usr/lib64/openldap/auditlog.la` exist? – quanta Oct 25 '11 at 11:19
  • Yes it exists. But everything works for me now. After I figured out how to add the modules, it got a permission problem. But no errors in any logs. So I was unsure if the module was added in the correct way or not. See my posted answer to this question to see how I solved it. Thanks. – Arlukin Oct 25 '11 at 12:23
  • Run `yum provides */auditlog.la` to see the `openldap-servers` is already provides `auditlog.la` on CentOS 6. – quanta Oct 25 '11 at 12:28
  • Your guess was right, they have moved auditlog.la to openldap-servers. (soon a new LDAP-question) – Arlukin Oct 25 '11 at 12:35