[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Audit Logging

Howard Chu wrote:

objectclass AuditAdd - sup AuditObject
must: AddEntry
it would be nice if the entry itself could just be included inline, to keep the entire audit entry human-readable, but I suspect it would be more practical to store the LDIF or BER of the entry in a separate attribute. My original implementation added this stuff inline.

objectclass AuditModify - sup AuditObject
 must: modification

attribute modification -
( + | - | = ) attributeDescription $ value

Of course we could just collapse AuditAdd into AuditModify. In the interest of brevity/efficiency I would omit the attributeDescription on subsequent values when providing multiple values for an attribute. To avoid problems with value uniqueness I'd add an index to each value. So

attribute mod
 ( + | - | = ) index # attributeDescription $ value

e.g., adding an LDAP entry

dn: cn=tester,o=example.com
objectclass: person
cn: tester
cn: beta tester
sn: tester
sn: beta tester
telephoneNumber: +1-818-555-4321
telephoneNumber: +1-408-867-5309
telephoneNumber: +353-1-554-5554

could yield a log entry

dn: requestStart=200411011230326543,cn=auditlog
objectclass: auditModify
requestDN: cn=tester,o=example.com
requestStart: 200411011230326543
requestEnd: 200411011230326799
requestType: Add
sessionID: 42
requestResult: 0
mod: +0# objectclasss $ person
mod: +1# cn $ tester
mod: +2# $ beta tester
mod: +3# sn $ tester
mod: +4# $ beta tester
mod: +5# telephoneNumber $ +1-818-555-4321
mod: +6# $ +1-818-555-4321
mod: +7# $ +353-1-554-5554

(plus whatever operational attributes are attached/logged)

 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support