Enable LDAP Audit Logging
Enable LDAP Audit Logging
Description
The Audit Logging overlay is used in the LDAP master server to record all backend changes to a specified log file. All changes are logged in standard LDIF format.
Configuration
Perform the following steps on the LDAP master server.
1) Take backup of current ldap and ldap-config.
su - zimbra mkdir /opt/zimbra/data/tmp/ldap_backup /opt/zimbra/libexec/zmslapcat /opt/zimbra/data/tmp/ldap_backup /opt/zimbra/libexec/zmslapcat -c /opt/zimbra/data/tmp/ldap_backup /opt/zimbra/libexec/zmslapcat -a /opt/zimbra/data/tmp/ldap_backup
2) Check currently loaded modules.
ldapsearch -x -LLL -H ldapi:/// -D cn=config -w `zmlocalconfig -s -m nokey ldap_root_password` -b "cn=module{0},cn=config" olcModuleLoad
Example:
zimbra@mail:~$ ldapsearch -x -LLL -H ldapi:/// -D cn=config -w `zmlocalconfig -s -m nokey ldap_root_password` -b "cn=module{0},cn=config" olcModuleLoad dn: cn=module{0},cn=config olcModuleLoad: {0}back_mdb.la olcModuleLoad: {1}back_monitor.la olcModuleLoad: {2}syncprov.la olcModuleLoad: {3}accesslog.la olcModuleLoad: {4}dynlist.la olcModuleLoad: {5}unique.la olcModuleLoad: {6}noopsrch.la olcModuleLoad: {7}pw-sha2.la
3) Add auditlog module.
ldapadd -x -H ldapi:/// -D cn=config -w `zmlocalconfig -s -m nokey ldap_root_password` <<EOF dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: auditlog.la EOF
4) Check currently configured overlays and their sequence number.
ldapsearch -x -LLL -H ldapi:/// -D cn=config -w `zmlocalconfig -s -m nokey ldap_root_password` -b "cn=config" "objectClass=olcOverlayConfig" dn
Example:
zimbra@mail:~$ ldapsearch -x -LLL -H ldapi:/// -D cn=config -w `zmlocalconfig -s -m nokey ldap_root_password` -b "cn=config" "objectClass=olcOverlayConfig" dn dn: olcOverlay={0}dynlist,olcDatabase={2}mdb,cn=config dn: olcOverlay={1}unique,olcDatabase={2}mdb,cn=config dn: olcOverlay={2}noopsrch,olcDatabase={2}mdb,cn=config
5) Add auditlog overlay with next sequence number and define log file path.
Here next sequence number will be "3".
ldapadd -x -H ldapi:/// -D cn=config -w `zmlocalconfig -s -m nokey ldap_root_password` <<EOF dn: olcOverlay={3}auditlog,olcDatabase={2}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcAuditLogConfig olcOverlay: {3}auditlog olcAuditlogFile: /opt/zimbra/log/ldap-audit.log EOF
6) Stop and start LDAP service.
ldap stop; ldap start
7) Configure Audit Logging File Rotation [Run as 'root' user].
cat > /etc/logrotate.d/ldap-audit << 'EOL' /opt/zimbra/log/ldap-audit.log { daily missingok notifempty create 0644 zimbra zimbra dateext dateformat .%Y-%m-%d postrotate /usr/sbin/service rsyslog restart >/dev/null 2>&1 || true endscript rotate 30 compress su zimbra zimbra } EOL
8) Now "ldap-audit.log" will start logging changes like the following entries.
root@mail:~# tail -f /opt/zimbra/log/ldap-audit.log # modify 1666267066 global uid=zimbra,cn=admins,cn=zimbra IP=192.168.1.67:56746 conn=1009 dn: uid=testuser8,ou=people,dc=example,dc=com changetype: modify replace: zimbraDumpsterEnabled zimbraDumpsterEnabled: TRUE - replace: entryCSN entryCSN: 20221020115746.667324Z#000000#000#000000 - replace: modifiersName modifiersName: uid=zimbra,cn=admins,cn=zimbra - replace: modifyTimestamp modifyTimestamp: 20221020115746Z - # end modify 1666267066
Submitted by: Heera Singh Koranga |