Vaughan Harper's blog ISDS LDAP – how to enable/configure audit logging
LDAP – how to enable/configure audit logging

ISDS

LDAP – how to enable/configure audit logging

The LDAP audit log can be the most helpful mechanism that I have found for investigating what LDAP requests a client is issuing, so I thought that it would be useful to explain how to enable/configure audit logging with IBM Security Directory Suite Version 8 (the latest, virtual appliance-based LDAP server from IBM):

1. First of all, to see whether or not audit is enabled, ssh to the virtual appliance, log in as admin, issue ‘sds’ then ‘client_tools’, then issue a command like this:

idsldapsearch -D cn=root -w <my-password> -h <my-host> -s base -b "cn=audit,cn=log management,cn=configuration" objectclass=* ibm-audit

To see which events are being audited then issue a command like this:

idsldapsearch -D cn=root -w <my-password> -h <my-host> -s base -b "cn=audit,cn=log management,cn=configuration" objectclass=*

The results should look similar to the following:

client_tools> idsldapsearch -D cn=root -w <my-password> -h <my-host> -s base -b "cn=audit,cn=log management,cn=configuration" objectclass=* ibm-audit
cn=Audit, cn=Log Management, cn=Configuration
ibm-audit=true
client_tools> idsldapsearch -D cn=root -w <my-password> -h <my-host> -s base -b "cn=audit,cn=log management,cn=configuration" objectclass=*
cn=Audit, cn=Log Management, cn=Configuration
cn=Audit
ibm-audit=true
ibm-auditAdd=false
ibm-auditAttributesOnGroupEvalOp=false
ibm-auditBind=true
ibm-auditCompare=false
ibm-auditDelete=false
ibm-auditExtOp=false
ibm-auditExtOPEvent=false
ibm-auditFailedOPonly=true
ibm-auditGroupsOnGroupControl=false
ibm-auditModify=false
ibm-auditModifyDN=false
ibm-auditPerformance=false
ibm-auditPTABindInfo=true
ibm-auditSearch=false
ibm-auditUnbind=true
ibm-auditVersion=3
ibm-slapdLog=/home/sdsinst1/idsslapd-sdsinst1/logs/audit.log
ibm-slapdLogMgmtFrequency=min
objectclass=ibm-auditConfig
objectclass=ibm-slapdLogConfig
objectclass=ibm-slapdConfigEntry
objectclass=top
objectclass=ibm-slapdQRadarConfig
objectclass=ibm-slapdCognosConfig
client_tools>

2. To enable auditing using the Web Administration Tool:
(a) Launch the Web Administration Tool and log in (e.g. as ‘cn=root’).
(b) Go to ‘Server administration’ -> ‘Logs’ -> ‘Modify log settings’.
(c) Select ‘Server audit log’.
(d) From the ‘Select Action’ dropdown select ‘Edit Settings’.
(e) Select the check box ‘Enable server audit logging’.
(f) Optionally change ‘Audit log level’ from ‘Only failed attempts’ to ‘All attempts’. (Note that if you don’t do this, only failed attempts are audited!)
(g) Optionally update the operations to be logged in the ‘Operations to log’ section of the page.
(h) Optionally go to the ‘Select frequency’ dropdown and specify a different frequency.
(i) Click ‘Finish’. A message should be displayed ‘The changes were saved’.

3. To enable auditing using an LDIF file:
(a) Create an LDIF file as described at http://www-01.ibm.com/support/docview.wss?uid=swg21405323 .
(b) Go to the virtual appliance console (the ‘LMI’) and log in.
(c) Click ‘Configure Directory Suite’ -> ‘Advanced Configuration: Custom File Management’.
(d) Select the ‘CustomIn’ folder.
(e) Click ‘Upload’.
(f) Select and upload the LDIF file that you have created.
(g) ssh to the virtual appliance, log in as admin, issue ‘sds’ then ‘client_tools’.
(h) Issue a command like this import the LDIF file that you have just uploaded to the virtual appliance:

 idsldapmodify -D cn=root -w <my-password> -h <my-host> -f <my-filename>

4. To view the audit log:
(a) From the top-level menu of the virtual appliance console, select ‘Manage System Settings’ -> ‘Maintenance: Log Retrieval and View’.
(b) Click the ‘Directory’ tab.
(c) Select ‘Audit.log’.
(d) Click ‘View’ or ‘Download’.

5. Obviously enabling the audit log will impact performance so it is worth switching off or reducing the auditing for a production system.

I hope that this is of use to someone…

Vaughan

 

Tagged , ,

Written by Vaughan

Leave a Reply

Your email address will not be published. Required fields are marked *