{"id":11830,"date":"2022-03-12T14:52:14","date_gmt":"2022-03-12T11:52:14","guid":{"rendered":"https:\/\/kifarunix.com\/?p=11830"},"modified":"2022-03-12T14:52:19","modified_gmt":"2022-03-12T11:52:19","slug":"how-to-enable-openldap-audit-logging","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-enable-openldap-audit-logging\/","title":{"rendered":"How to Enable OpenLDAP Audit Logging"},"content":{"rendered":"\n

In this tutorial, you will learn how to enable OpenLDAP audit logging. OpenLDAP uses Auditlog overlays<\/a> to record any changes made to the database to a specified log file.<\/p>\n\n\n\n

How to Enable OpenLDAP Audit Logging<\/h2>\n\n\n\n

To enable OpenLDAP audit logging, you need to of course have an OpenLDAP server running.<\/p>\n\n\n\n

You can check our previous articles on how to install and setup OpenLDAP server;<\/p>\n\n\n\n

Install and Setup OpenLDAP server on Ubuntu 22.04<\/a><\/p>\n\n\n\n

Install and Setup OpenLDAP Server on Debian 11<\/a><\/p>\n\n\n\n

Install and Setup OpenLDAP on Rocky Linux 8<\/a><\/p>\n\n\n\n

Once you have an OpenLDAP server running, proceed to enable OpenLDAP Audit logging.<\/p>\n\n\n\n

Enable OpenLDAP Audit Logging overlay Module<\/h3>\n\n\n\n

As already mentioned, OpenLDAP uses Auditlog overlay module to record all changes on a given backend database to a specified log file.<\/p>\n\n\n\n

As such, you need to have the Auditlog overlay module enabled.<\/p>\n\n\n\n

Check if the Auditlog overlay moduled is enabled by running this command on OpenLDAP server;<\/p>\n\n\n\n

ldapsearch -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b  cn=config -LLL -Q | grep -i module<\/code><\/pre>\n\n\n\n
Sample output;<\/p>\n\n\n\n
\ndn: cn=module{0},cn=config\nobjectClass: olcModuleList\ncn: module{0}\nolcModulePath: \/usr\/libexec\/openldap\nolcModuleLoad: {0}back_mdb.la\nolcModuleLoad: {1}memberof.la\nolcModuleLoad: {2}refint.la\n...\n<\/code><\/pre>\n\n\n\n
From the output, the Auditlog overlay module is not enabled in my server.<\/p>\n\n\n\n
In my OpenLDAP server, the modules are stored under \/usr\/libexec\/openldap<\/code><\/strong> directory.<\/p>\n\n\n\n
The Auditlog overlay module is available on the path, \/usr\/libexec\/openldap\/auditlog.la<\/code><\/strong>.<\/p>\n\n\n\n
Thus, to enable Auditlog Overlay module on OpenLDAP server, you need to modify the modules configuration entry (dn: cn=module{0},cn=config<\/code><\/strong>) and add the Auditlog module by running the command below;<\/p>\n\n\n\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/<\/code><\/pre>\n\n\n\n
When the command above runs, copy and paste the content below;<\/p>\n\n\n\n
dn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: auditlog.la<\/code><\/pre>\n\n\n\n
Paste the content above and press<\/strong> ENTER<\/strong> twice<\/strong>.<\/p>\n\n\n\n
Next, press Ctrl+c<\/strong>.<\/p>\n\n\n\n
Sample command output;<\/p>\n\n\n\n
\nldapadd -Y EXTERNAL -H ldapi:\/\/\/\nSASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\ndn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: auditlog.la\n\nmodifying entry \"cn=module{0},cn=config\"\n\n^C\n<\/code><\/pre>\n\n\n\n
Add Auditlog Overlay to SLAPD Database Backend<\/h3>\n\n\n\n
Once you have enabled the Auditlog overlay module, you need to update SLAPD database backend <\/a>with Auditlog configuration options.<\/p>\n\n\n\n
In my OpenLDAP server setup, LMDB is the default database backend.<\/p>\n\n\n\n
ldapsearch -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b  cn=config olcDatabase -Q | grep olcDatabase:<\/code><\/pre>\n\n\n\n
Sample output;<\/p>\n\n\n\n
olcDatabase: {-1}frontend\nolcDatabase: {0}config\nolcDatabase: {1}mdb<\/strong><\/code><\/pre>\n\n\n\n
Thus, to update the database with Audit logging configuration, run the command below;<\/p>\n\n\n\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/<\/code><\/pre>\n\n\n\n
Once the command runs, copy and paste the content below. Be sure to replace the configs accordingly.<\/strong><\/p>\n\n\n\n
\ndn: olcOverlay=auditlog,olcDatabase={1}mdb,cn=config\nchangetype: add\nobjectClass: olcOverlayConfig\nobjectClass: olcAuditLogConfig\nolcOverlay: auditlog\nolcAuditlogFile: \/var\/log\/slapd\/slapd-audit.log\n<\/code><\/pre>\n\n\n\n
Paste the content above and press<\/strong> ENTER<\/strong> twice<\/strong>.<\/p>\n\n\n\n
Next, press Ctrl+c<\/strong>.<\/p>\n\n\n\n
Sample command output;<\/p>\n\n\n\n
\nldapadd -Y EXTERNAL -H ldapi:\/\/\/\nSASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\ndn: olcOverlay=auditlog,olcDatabase={1}mdb,cn=config\nchangetype: add\nobjectClass: olcOverlayConfig\nobjectClass: olcAuditLogConfig\nolcOverlay: auditlog\nolcAuditlogFile: \/var\/log\/slapd\/slapd-audit.log\n\nadding new entry \"olcOverlay=auditlog,olcDatabase={1}mdb,cn=config\"\n<\/code><\/pre>\n\n\n\n
Ensure the logging directory is writable by the OpenLDAP user;<\/p>\n\n\n\n
mkdir \/var\/log\/slapd.d\/slapd-audit.ldif && chown -R ldap: \/var\/log\/slapd.d\/<\/code><\/pre>\n\n\n\n
Verify OpenLDAP Audit Logging<\/h3>\n\n\n\n
You are done with configuration. You can now test the audit logging by performing various ldap operations;<\/p>\n\n\n\n
For example, we have a user janedoe with the attributes;<\/p>\n\n\n\n
ldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -LLL -b \"dc=ldapmaster,dc=kifarunix-demo,dc=com\" uid=janedoe -LLL -Q<\/code><\/pre>\n\n\n\n
\ndn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: inetOrgPerson\nobjectClass: posixAccount\nobjectClass: shadowAccount\nuid: janedoe\ncn: jane\nsn: Doe\nloginShell: \/bin\/bash\nuidNumber: 10010\ngidNumber: 10010\nhomeDirectory: \/home\/janedoe\nshadowMax: 60\nshadowMin: 1\nshadowWarning: 7\nshadowInactive: 7\nshadowLastChange: 0\nuserPassword:: e1NTSEF9MTRhZ3FZQkZxbEw5SnY1dHF5ekozY1BIdUZJeng1Ujk=\n<\/code><\/pre>\n\n\n\n
lets try to update the home directory;<\/p>\n\n\n\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/<\/code><\/pre>\n\n\n\n
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nchangetype: modify\nreplace: homeDirectory\nhomeDirectory: \/home\/janed<\/code><\/pre>\n\n\n\n
When you have ran the command, check the logging file.<\/p>\n\n\n\n
less \/var\/log\/slapd\/slapd-audit.log<\/code><\/pre>\n\n\n\n
You should see such entries;<\/p>\n\n\n\n
\ndn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nchangetype: modify\nreplace: homeDirectory\nhomeDirectory: \/home\/janed\n-\nreplace: entryCSN\nentryCSN: 20220312110448.000680Z#000000#000#000000\n-\nreplace: modifiersName\nmodifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\n-\nreplace: modifyTimestamp\nmodifyTimestamp: 20220312110448Z\n-\n# end modify 1647083088\n<\/code><\/pre>\n\n\n\n
Similarly, you can run other operations and confirm the same on the database;<\/p>\n\n\n\n
Configure Audit Logging File Rotation<\/h3>\n\n\n\n
Ensure the file is rotated to avoid it growing to unmanageable sizes.<\/p>\n\n\n\n
\ncat > \/etc\/logrotate.d\/slapd-audit << 'EOL'\n\/var\/log\/slapd\/slapd-audit.log {\n    weekly\n    missingok\n    notifempty\n    sharedscripts\n    rotate 2\n    compress\n    delaycompress\n}\nEOL\n<\/code><\/pre>\n\n\n\n
And there you go. That is it on how to enable OpenLDAP Audit logging.<\/p>\n\n\n\n
More Tutorials<\/h3>\n\n\n\n
Setup Apache Guacamole OpenLDAP Authentication<\/a><\/p>\n\n\n\n
Configure Squid Proxy OpenLDAP Authentication on pfSense<\/a><\/p>\n\n\n\n
Configure OpenLDAP Password Expiry Email Notification<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this tutorial, you will learn how to enable OpenLDAP audit logging. OpenLDAP uses Auditlog overlays to record any changes made to the database to<\/p>\n","protected":false},"author":1,"featured_media":11832,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121],"tags":[4683,4686,4685,4687,4684],"class_list":["post-11830","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","tag-how-to-enable-openldap-audit-logging","tag-ldap-audit-modules","tag-ldap-audit-overlay","tag-ldap-auditing","tag-openldap-audit","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11830"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=11830"}],"version-history":[{"count":2,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11830\/revisions"}],"predecessor-version":[{"id":11833,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11830\/revisions\/11833"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/11832"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=11830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=11830"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=11830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}