Enable LDAP Audit Logging
Enable LDAP Audit Logging
Description
The Audit Logging overlay is used in the LDAP master server to record all backend changes to a specified log file. All changes are logged in standard LDIF format.
Configuration
Perform the following steps on the LDAP master server.
1) Take backup of current ldap and ldap-config.
su - zimbra mkdir /opt/zimbra/data/tmp/ldap_backup /opt/zimbra/libexec/zmslapcat /opt/zimbra/data/tmp/ldap_backup /opt/zimbra/libexec/zmslapcat -c /opt/zimbra/data/tmp/ldap_backup /opt/zimbra/libexec/zmslapcat -a /opt/zimbra/data/tmp/ldap_backup
2) Check currently loaded modules.
ldapsearch -x -LLL -H ldapi:/// -D cn=config -w `zmlocalconfig -s -m nokey ldap_root_password` -b "cn=module{0},cn=config" olcModuleLoad
Example:
zimbra@mail:~$ ldapsearch -x -LLL -H ldapi:/// -D cn=config -w `zmlocalconfig -s -m nokey ldap_root_password` -b "cn=module{0},cn=config" olcModuleLoad
dn: cn=module{0},cn=config
olcModuleLoad: {0}back_mdb.la
olcModuleLoad: {1}back_monitor.la
olcModuleLoad: {2}syncprov.la
olcModuleLoad: {3}accesslog.la
olcModuleLoad: {4}dynlist.la
olcModuleLoad: {5}unique.la
olcModuleLoad: {6}noopsrch.la
olcModuleLoad: {7}pw-sha2.la
3) Add auditlog module.
ldapadd -x -H ldapi:/// -D cn=config -w `zmlocalconfig -s -m nokey ldap_root_password` <<EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: auditlog.la
EOF
4) Check currently configured overlays and their sequence number.
ldapsearch -x -LLL -H ldapi:/// -D cn=config -w `zmlocalconfig -s -m nokey ldap_root_password` -b "cn=config" "objectClass=olcOverlayConfig" dn
Example:
zimbra@mail:~$ ldapsearch -x -LLL -H ldapi:/// -D cn=config -w `zmlocalconfig -s -m nokey ldap_root_password` -b "cn=config" "objectClass=olcOverlayConfig" dn
dn: olcOverlay={0}dynlist,olcDatabase={2}mdb,cn=config
dn: olcOverlay={1}unique,olcDatabase={2}mdb,cn=config
dn: olcOverlay={2}noopsrch,olcDatabase={2}mdb,cn=config
5) Add auditlog overlay with next sequence number and define log file path.
Here next sequence number will be "3".
ldapadd -x -H ldapi:/// -D cn=config -w `zmlocalconfig -s -m nokey ldap_root_password` <<EOF
dn: olcOverlay={3}auditlog,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: {3}auditlog
olcAuditlogFile: /opt/zimbra/log/ldap-audit.log
EOF
6) Stop and start LDAP service.
ldap stop; ldap start
7) Configure Audit Logging File Rotation [Run as 'root' user].
cat > /etc/logrotate.d/ldap-audit << 'EOL'
/opt/zimbra/log/ldap-audit.log {
daily
missingok
notifempty
create 0644 zimbra zimbra
dateext
dateformat .%Y-%m-%d
postrotate
/usr/sbin/service rsyslog restart >/dev/null 2>&1 || true
endscript
rotate 30
compress
su zimbra zimbra
}
EOL
8) Now "ldap-audit.log" will start logging changes like the following entries.
root@mail:~# tail -f /opt/zimbra/log/ldap-audit.log # modify 1666267066 global uid=zimbra,cn=admins,cn=zimbra IP=192.168.1.67:56746 conn=1009 dn: uid=testuser8,ou=people,dc=example,dc=com changetype: modify replace: zimbraDumpsterEnabled zimbraDumpsterEnabled: TRUE - replace: entryCSN entryCSN: 20221020115746.667324Z#000000#000#000000 - replace: modifiersName modifiersName: uid=zimbra,cn=admins,cn=zimbra - replace: modifyTimestamp modifyTimestamp: 20221020115746Z - # end modify 1666267066
| Submitted by: Heera Singh Koranga |
