The LDAP audit log can be the most helpful mechanism that I have found for investigating what LDAP requests a client is issuing, so I thought that it would be useful to explain how to enable/configure audit logging with IBM Security Directory Suite Version 8 (the latest, virtual appliance-based LDAP server from IBM):
1. First of all, to see whether or not audit is enabled, ssh to the virtual appliance, log in as admin, issue ‘sds’ then ‘client_tools’, then issue a command like this:
idsldapsearch -D cn=root -w <my-password> -h <my-host> -s base -b "cn=audit,cn=log management,cn=configuration" objectclass=* ibm-audit
To see which events are being audited then issue a command like this:
idsldapsearch -D cn=root -w <my-password> -h <my-host> -s base -b "cn=audit,cn=log management,cn=configuration" objectclass=*
The results should look similar to the following:
client_tools> idsldapsearch -D cn=root -w <my-password> -h <my-host> -s base -b "cn=audit,cn=log management,cn=configuration" objectclass=* ibm-audit cn=Audit, cn=Log Management, cn=Configuration ibm-audit=true client_tools> idsldapsearch -D cn=root -w <my-password> -h <my-host> -s base -b "cn=audit,cn=log management,cn=configuration" objectclass=* cn=Audit, cn=Log Management, cn=Configuration cn=Audit ibm-audit=true ibm-auditAdd=false ibm-auditAttributesOnGroupEvalOp=false ibm-auditBind=true ibm-auditCompare=false ibm-auditDelete=false ibm-auditExtOp=false ibm-auditExtOPEvent=false ibm-auditFailedOPonly=true ibm-auditGroupsOnGroupControl=false ibm-auditModify=false ibm-auditModifyDN=false ibm-auditPerformance=false ibm-auditPTABindInfo=true ibm-auditSearch=false ibm-auditUnbind=true ibm-auditVersion=3 ibm-slapdLog=/home/sdsinst1/idsslapd-sdsinst1/logs/audit.log ibm-slapdLogMgmtFrequency=min objectclass=ibm-auditConfig objectclass=ibm-slapdLogConfig objectclass=ibm-slapdConfigEntry objectclass=top objectclass=ibm-slapdQRadarConfig objectclass=ibm-slapdCognosConfig client_tools>
2. To enable auditing using the Web Administration Tool:
(a) Launch the Web Administration Tool and log in (e.g. as ‘cn=root’).
(b) Go to ‘Server administration’ -> ‘Logs’ -> ‘Modify log settings’.
(c) Select ‘Server audit log’.
(d) From the ‘Select Action’ dropdown select ‘Edit Settings’.
(e) Select the check box ‘Enable server audit logging’.
(f) Optionally change ‘Audit log level’ from ‘Only failed attempts’ to ‘All attempts’. (Note that if you don’t do this, only failed attempts are audited!)
(g) Optionally update the operations to be logged in the ‘Operations to log’ section of the page.
(h) Optionally go to the ‘Select frequency’ dropdown and specify a different frequency.
(i) Click ‘Finish’. A message should be displayed ‘The changes were saved’.
3. To enable auditing using an LDIF file:
(a) Create an LDIF file as described at http://www-01.ibm.com/support/docview.wss?uid=swg21405323 .
(b) Go to the virtual appliance console (the ‘LMI’) and log in.
(c) Click ‘Configure Directory Suite’ -> ‘Advanced Configuration: Custom File Management’.
(d) Select the ‘CustomIn’ folder.
(e) Click ‘Upload’.
(f) Select and upload the LDIF file that you have created.
(g) ssh to the virtual appliance, log in as admin, issue ‘sds’ then ‘client_tools’.
(h) Issue a command like this import the LDIF file that you have just uploaded to the virtual appliance:
idsldapmodify -D cn=root -w <my-password> -h <my-host> -f <my-filename>
4. To view the audit log:
(a) From the top-level menu of the virtual appliance console, select ‘Manage System Settings’ -> ‘Maintenance: Log Retrieval and View’.
(b) Click the ‘Directory’ tab.
(c) Select ‘Audit.log’.
(d) Click ‘View’ or ‘Download’.
5. Obviously enabling the audit log will impact performance so it is worth switching off or reducing the auditing for a production system.
I hope that this is of use to someone…
Vaughan
Leave a Reply