Let’s assume you already have a database under dn: olcDatabase={1}mdb,cn=config
and you would like to keep access logs. To achieve this, we will do (and assume) the following:
- Enable the AccessLog Module
- Create an AccessLog database, where the logs will be stored
- There is already an existing database for which we want to keep logs at:
dn: olcDatabase={1}mdb,cn=config
Note that I use Gentoo linux, but with some modifications the following information should work on other distributions.
Enable the AccessLog Module
Ok, so first add the module to OpenLDAP:
Ensure that the accesslog module is available on your system/platform. In my case, it is in stored as /usr/lib64/openldap/openldap/accesslog.so
. Modify the following LDAP Data Interchange Format (LDIF) file accordingly if the shared object file is elsewhere.
Create the file load_AccessLogModule.ldif
and insert:
dn: cn=module{2},cn=config objectClass: olcModuleList cn: module{2} olcModuleLoad: {0}accesslog.so olcModulePath: /usr/lib64/openldap/openldap
Add the content into the slapd server (you may have to restart the daemon):
ldapmodify -a -D "cn=config" -w <password> -H ldap:// -f load_AccessLogModule.ldif
Create an AccessLog database
Let’s now create the AccessLog database in which logs will be stored in:
Create a file create_AccessLogDatabase.ldif
and insert:
dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbDirectory: /var/lib/openldap-data/accesslog olcSuffix: cn=accesslog olcRootDN: cn=admin,cn=accesslog olcRootPW: auditor_password olcDbIndex: default eq olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
Caution here, the olcDbDirectory /var/lib/openldap-data/accesslog
, must exist and the system user owning the slapd process must be able to read/write. On my system:
mkdir -p /var/lib/openldap-data/accesslog chown ldap:ldap /var/lib/openldap-data/accesslog
Of course you should also use a more secure password than the plain text auditor_password used, by utilizing the SHA or SSHA password scheme (see https://www.openldap.org/faq/data/cache/347.html).
Add the content into the slapd server:
ldapmodify -a -D "cn=config" -w <password> -H ldap:// -f create_AccessLogDatabase.ldif
Add the AccessLog overlay to the “source” database
Recall, we have an existing database (with dn: olcDatabase={1}mdb,cn=config
) we would like to log access for. We should create an overlay in that database and configure it to log into the AccessLog database we just created:
Create a file add_Overlay_to_Database.ldif
and insert:
dn: olcOverlay=accesslog,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: session olcAccessLogSuccess: TRUE olcAccessLogPurge: 07+00:00 01+00:00
Add the content into the slapd server:
ldapmodify -a -D "cn=config" -w <password> -H ldap:// -f add_Overlay_to_Database.ldif
Now, whenever a session abandon, bind or unbind action happens for the olcDatabase={1}mdb,cn=config
database, a log entry will be created in dn: olcDatabase={2}mdb,cn=config
.