Let’s assume you already have a database under dn: olcDatabase={1}mdb,cn=config and you would like to keep access logs. To achieve this, we will do (and assume) the following:

  • Enable the AccessLog Module
  • Create an AccessLog database, where the logs will be stored
  • There is already an existing database for which we want to keep logs at: dn: olcDatabase={1}mdb,cn=config

Note that I use Gentoo linux, but with some modifications the following information should work on other distributions.

Enable the AccessLog Module

Ok, so first add the module to OpenLDAP:

Ensure that the accesslog module is available on your system/platform. In my case, it is in stored as /usr/lib64/openldap/openldap/accesslog.so. Modify the following LDAP Data Interchange Format (LDIF) file accordingly if the shared object file is elsewhere.

Create the file load_AccessLogModule.ldif and insert:

dn: cn=module{2},cn=config
objectClass: olcModuleList
cn: module{2}
olcModuleLoad: {0}accesslog.so
olcModulePath: /usr/lib64/openldap/openldap

Add the content into the slapd server (you may have to restart the daemon):

ldapmodify -a -D "cn=config" -w <password> -H ldap:// -f load_AccessLogModule.ldif

Create an AccessLog database

Let’s now create the AccessLog database in which logs will be stored in:

Create a file create_AccessLogDatabase.ldif and insert:

dn: olcDatabase={2}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbDirectory: /var/lib/openldap-data/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,cn=accesslog
olcRootPW: auditor_password
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart

Caution here, the olcDbDirectory /var/lib/openldap-data/accesslog, must exist and the system user owning the slapd process must be able to read/write. On my system:

  mkdir -p /var/lib/openldap-data/accesslog
  chown ldap:ldap /var/lib/openldap-data/accesslog

Of course you should also use a more secure password than the plain text auditor_password used, by utilizing the SHA or SSHA password scheme (see https://www.openldap.org/faq/data/cache/347.html).

Add the content into the slapd server:

  ldapmodify -a -D "cn=config" -w <password> -H ldap:// -f create_AccessLogDatabase.ldif

Add the AccessLog overlay to the “source” database

Recall, we have an existing database (with dn: olcDatabase={1}mdb,cn=config) we would like to log access for. We should create an overlay in that database and configure it to log into the AccessLog database we just created:

Create a file add_Overlay_to_Database.ldif and insert:

dn: olcOverlay=accesslog,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: session
olcAccessLogSuccess: TRUE
olcAccessLogPurge: 07+00:00 01+00:00

Add the content into the slapd server:

  ldapmodify -a -D "cn=config" -w <password> -H ldap:// -f add_Overlay_to_Database.ldif

Now, whenever a session abandon, bind or unbind action happens for the olcDatabase={1}mdb,cn=config database, a log entry will be created in dn: olcDatabase={2}mdb,cn=config.

0