In this tutorial, you will learn how to enable OpenLDAP audit logging. OpenLDAP uses Auditlog overlays to record any changes made to the database to a specified log file.
How to Enable OpenLDAP Audit Logging
To enable OpenLDAP audit logging, you need to of course have an OpenLDAP server running.
You can check our previous articles on how to install and setup OpenLDAP server;
Install and Setup OpenLDAP server on Ubuntu 22.04
Install and Setup OpenLDAP Server on Debian 11
Install and Setup OpenLDAP on Rocky Linux 8
Once you have an OpenLDAP server running, proceed to enable OpenLDAP Audit logging.
Enable OpenLDAP Audit Logging overlay Module
As already mentioned, OpenLDAP uses Auditlog overlay module to record all changes on a given backend database to a specified log file.
As such, you need to have the Auditlog overlay module enabled.
Check if the Auditlog overlay moduled is enabled by running this command on OpenLDAP server;
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config -LLL -Q | grep -i module
Sample output;
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/libexec/openldap
olcModuleLoad: {0}back_mdb.la
olcModuleLoad: {1}memberof.la
olcModuleLoad: {2}refint.la
...
From the output, the Auditlog overlay module is not enabled in my server.
In my OpenLDAP server, the modules are stored under /usr/libexec/openldap
directory.
The Auditlog overlay module is available on the path, /usr/libexec/openldap/auditlog.la
.
Thus, to enable Auditlog Overlay module on OpenLDAP server, you need to modify the modules configuration entry (dn: cn=module{0},cn=config
) and add the Auditlog module by running the command below;
ldapadd -Y EXTERNAL -H ldapi:///
When the command above runs, copy and paste the content below;
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: auditlog.la
Paste the content above and press ENTER twice.
Next, press Ctrl+c.
Sample command output;
ldapadd -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: auditlog.la
modifying entry "cn=module{0},cn=config"
^C
Add Auditlog Overlay to SLAPD Database Backend
Once you have enabled the Auditlog overlay module, you need to update SLAPD database backend with Auditlog configuration options.
In my OpenLDAP server setup, LMDB is the default database backend.
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase -Q | grep olcDatabase:
Sample output;
olcDatabase: {-1}frontend
olcDatabase: {0}config
olcDatabase: {1}mdb
Thus, to update the database with Audit logging configuration, run the command below;
ldapadd -Y EXTERNAL -H ldapi:///
Once the command runs, copy and paste the content below. Be sure to replace the configs accordingly.
dn: olcOverlay=auditlog,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /var/log/slapd/slapd-audit.log
Paste the content above and press ENTER twice.
Next, press Ctrl+c.
Sample command output;
ldapadd -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcOverlay=auditlog,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /var/log/slapd/slapd-audit.log
adding new entry "olcOverlay=auditlog,olcDatabase={1}mdb,cn=config"
Ensure the logging directory is writable by the OpenLDAP user;
mkdir /var/log/slapd.d/slapd-audit.ldif && chown -R ldap: /var/log/slapd.d/
Verify OpenLDAP Audit Logging
You are done with configuration. You can now test the audit logging by performing various ldap operations;
For example, we have a user janedoe with the attributes;
ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" uid=janedoe -LLL -Q
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: janedoe
cn: jane
sn: Doe
loginShell: /bin/bash
uidNumber: 10010
gidNumber: 10010
homeDirectory: /home/janedoe
shadowMax: 60
shadowMin: 1
shadowWarning: 7
shadowInactive: 7
shadowLastChange: 0
userPassword:: e1NTSEF9MTRhZ3FZQkZxbEw5SnY1dHF5ekozY1BIdUZJeng1Ujk=
lets try to update the home directory;
ldapadd -Y EXTERNAL -H ldapi:///
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
changetype: modify
replace: homeDirectory
homeDirectory: /home/janed
When you have ran the command, check the logging file.
less /var/log/slapd/slapd-audit.log
You should see such entries;
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
changetype: modify
replace: homeDirectory
homeDirectory: /home/janed
-
replace: entryCSN
entryCSN: 20220312110448.000680Z#000000#000#000000
-
replace: modifiersName
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
-
replace: modifyTimestamp
modifyTimestamp: 20220312110448Z
-
# end modify 1647083088
Similarly, you can run other operations and confirm the same on the database;
Configure Audit Logging File Rotation
Ensure the file is rotated to avoid it growing to unmanageable sizes.
cat > /etc/logrotate.d/slapd-audit << 'EOL'
/var/log/slapd/slapd-audit.log {
weekly
missingok
notifempty
sharedscripts
rotate 2
compress
delaycompress
}
EOL
And there you go. That is it on how to enable OpenLDAP Audit logging.
More Tutorials
Setup Apache Guacamole OpenLDAP Authentication