How to Enable OpenLDAP Audit Logging

0
347
Check Point Lab R80.40 - 7. Logs&am...
Check Point Lab R80.40 - 7. Logs&Monitor + SmartEvent

In this tutorial, you will learn how to enable OpenLDAP audit logging. OpenLDAP uses Auditlog overlays to record any changes made to the database to a specified log file.

How to Enable OpenLDAP Audit Logging

To enable OpenLDAP audit logging, you need to of course have an OpenLDAP server running.

You can check our previous articles on how to install and setup OpenLDAP server;

Install and Setup OpenLDAP server on Ubuntu 22.04

Install and Setup OpenLDAP Server on Debian 11

Install and Setup OpenLDAP on Rocky Linux 8

Once you have an OpenLDAP server running, proceed to enable OpenLDAP Audit logging.

Enable OpenLDAP Audit Logging overlay Module

As already mentioned, OpenLDAP uses Auditlog overlay module to record all changes on a given backend database to a specified log file.

As such, you need to have the Auditlog overlay module enabled.

Check if the Auditlog overlay moduled is enabled by running this command on OpenLDAP server;

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config -LLL -Q | grep -i module

Sample output;

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/libexec/openldap
olcModuleLoad: {0}back_mdb.la
olcModuleLoad: {1}memberof.la
olcModuleLoad: {2}refint.la
...

From the output, the Auditlog overlay module is not enabled in my server.

In my OpenLDAP server, the modules are stored under /usr/libexec/openldap directory.

The Auditlog overlay module is available on the path, /usr/libexec/openldap/auditlog.la.

Thus, to enable Auditlog Overlay module on OpenLDAP server, you need to modify the modules configuration entry (dn: cn=module{0},cn=config) and add the Auditlog module by running the command below;

ldapadd -Y EXTERNAL -H ldapi:///

When the command above runs, copy and paste the content below;

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: auditlog.la

Paste the content above and press ENTER twice.

Next, press Ctrl+c.

Sample command output;

ldapadd -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: auditlog.la

modifying entry "cn=module{0},cn=config"

^C

Add Auditlog Overlay to SLAPD Database Backend

Once you have enabled the Auditlog overlay module, you need to update SLAPD database backend with Auditlog configuration options.

In my OpenLDAP server setup, LMDB is the default database backend.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config olcDatabase -Q | grep olcDatabase:

Sample output;

olcDatabase: {-1}frontend
olcDatabase: {0}config
olcDatabase: {1}mdb

Thus, to update the database with Audit logging configuration, run the command below;

ldapadd -Y EXTERNAL -H ldapi:///

Once the command runs, copy and paste the content below. Be sure to replace the configs accordingly.

dn: olcOverlay=auditlog,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /var/log/slapd/slapd-audit.log

Paste the content above and press ENTER twice.

Next, press Ctrl+c.

Sample command output;

ldapadd -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcOverlay=auditlog,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /var/log/slapd/slapd-audit.log

adding new entry "olcOverlay=auditlog,olcDatabase={1}mdb,cn=config"

Ensure the logging directory is writable by the OpenLDAP user;

mkdir /var/log/slapd.d/slapd-audit.ldif && chown -R ldap: /var/log/slapd.d/

Verify OpenLDAP Audit Logging

You are done with configuration. You can now test the audit logging by performing various ldap operations;

For example, we have a user janedoe with the attributes;

ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" uid=janedoe -LLL -Q
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: janedoe
cn: jane
sn: Doe
loginShell: /bin/bash
uidNumber: 10010
gidNumber: 10010
homeDirectory: /home/janedoe
shadowMax: 60
shadowMin: 1
shadowWarning: 7
shadowInactive: 7
shadowLastChange: 0
userPassword:: e1NTSEF9MTRhZ3FZQkZxbEw5SnY1dHF5ekozY1BIdUZJeng1Ujk=

lets try to update the home directory;

ldapadd -Y EXTERNAL -H ldapi:///
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
changetype: modify
replace: homeDirectory
homeDirectory: /home/janed

When you have ran the command, check the logging file.

less /var/log/slapd/slapd-audit.log

You should see such entries;

dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
changetype: modify
replace: homeDirectory
homeDirectory: /home/janed
-
replace: entryCSN
entryCSN: 20220312110448.000680Z#000000#000#000000
-
replace: modifiersName
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
-
replace: modifyTimestamp
modifyTimestamp: 20220312110448Z
-
# end modify 1647083088

Similarly, you can run other operations and confirm the same on the database;

Configure Audit Logging File Rotation

Ensure the file is rotated to avoid it growing to unmanageable sizes.

cat > /etc/logrotate.d/slapd-audit << 'EOL'
/var/log/slapd/slapd-audit.log {
    weekly
    missingok
    notifempty
    sharedscripts
    rotate 2
    compress
    delaycompress
}
EOL

And there you go. That is it on how to enable OpenLDAP Audit logging.

More Tutorials

Setup Apache Guacamole OpenLDAP Authentication

Configure Squid Proxy OpenLDAP Authentication on pfSense

Configure OpenLDAP Password Expiry Email Notification

LEAVE A REPLY

Please enter your comment!
Please enter your name here