How to enable Audit logging in IPA/IDM Server and Replica Servers

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8

Issue

  • How to enable audit logging in IPA for :
    • Addition/Deletion of users.
    • Changing of RBAC rules
    • Changing of sudo rules.

Resolution

The audit log feature can be enabled using using different methods.
The result log files will be created under the directory /var/log/dirsrv/slapd-<instance-name>/audit/
Note the LDAP service may be slower if there are many LDAP changes as log entries added on disk, specially if the values are large.

Method available for RHEL-8: use the LDAP command line utility called dsconf
Check if it's enabled or not, if not, please activate it:

dsconf -D "cn=Directory Manager" ldap://<ipa_hostname> config get  | grep -i nsslapd-auditlog-logging-enabled
dsconf <INSTANCE-NAME> config replace nsslapd-auditlog-logging-enabled=on

Other wise:

dsconf <INSTANCE-NAME>  -D 'cn=Directory Manager' -W ldaps://192.168.122.122:636

For RHEL-8, RHEL-7 and RHEL-6, using the ldapmodify command:

ldapmodify -D "cn=Directory Manager" -W << EOF
dn: cn=config
changetype: modify
replace: nsslapd-auditlog-logging-enabled
nsslapd-auditlog-logging-enabled: on
-
replace:nsslapd-auditlog
nsslapd-auditlog: /var/log/dirsrv/slapd-<instance-name>/audit
-
replace:nsslapd-auditlog-mode
nsslapd-auditlog-mode: 600
-
replace:nsslapd-auditlog-maxlogsize
nsslapd-auditlog-maxlogsize: 100
-
replace:nsslapd-auditlog-logrotationtime
nsslapd-auditlog-logrotationtime: 1
-
replace:nsslapd-auditlog-logrotationtimeunit
nsslapd-auditlog-logrotationtimeunit: day
EOF

Other method, for RHEL-8, RHEL-7 and RHEL-6, the least preferred, manually edit the configuration file called dse.ldif file:

1. Stop dirsrv instance for specific instance.
RHEL-8, RHEL-7

systemctl stop dirsrv@IDM-EXAMPLE-TEST.service

RHEL-6

service dirsrv stop <instance-name>

2. Edit the file dse.ldif and add the following entries under cn=config

vi  /etc/dirsrv/slapd-<instance-name>/dse.ldif
...
nsslapd-auditlog: /var/log/dirsrv/slapd-<instance-name>/audit
nsslapd-auditlog-mode: 600
nsslapd-auditlog-maxlogsize: 100
nsslapd-auditlog-logrotationtime: 1
nsslapd-auditlog-logrotationtimeunit: day
nsslapd-auditlog-logging-enabled: on

3. Start dirsrv for specific instance
RHEL-8, RHEL-7

systemctl start dirsrv@IDM-EXAMPLE-TEST.service

RHEL-6

service dirsrv start <instance-name>

Root Cause

Can be needed for troubleshooting or audit purposes.

Diagnostic Steps

  • If you enable the nsslapd-auditlog-logging-enabled on both the servers (master and replica) the changes will be logged in both the audit logs (master and replica).

  • On IPA-Master :

time: 20140205205346
dn: dnaHostname=client.example.com+dnaPortNum=389,cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com
changetype: delete
modifiersname: krbprincipalname=ldap/client.example.com@example.com,cn=services,cn=accounts,dc=example,dc=com

time: 20140205205348
dn: dnaHostname=client.example.com+dnaPortNum=389,cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com
changetype: add
objectClass: dnaSharedConfig
objectClass: top
dnaHostname: client.example.com
dnaPortNum: 389
dnaSecurePortNum: 636
dnaRemainingValues: 0
creatorsName: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
modifiersName: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
createTimestamp: 20140205152133Z
modifyTimestamp: 20140205152133Z
parentid: 28
entryid: 334

time: 20140205205349
dn: uid=audituser2,cn=users,cn=accounts,dc=example,dc=com
changetype: add
displayName: audituser2 user2
cn: audituser2 user2
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
loginShell: /bin/sh
sn: user2
uidNumber: 999
gidNumber: 999
gecos: audituser2 user2
homeDirectory: /home/audituser2
krbPwdPolicyReference: cn=global_policy,cn=example.com,cn=kerberos,dc=example,dc=com
mail: audituser2@example.com
krbPrincipalName: audituser2@example.com
givenName: audituser2
uid: audituser2
initials: au
creatorsName: uid=admin,cn=users,cn=accounts,dc=example,dc=com
modifiersName: uid=admin,cn=users,cn=accounts,dc=example,dc=com
createTimestamp: 20140205152349Z
modifyTimestamp: 20140205152349Z
ipaUniqueID: 82f46946-8e79-11e3-9300-00163e747b88

time: 20140205205349
dn: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
changetype: modify
add: member
member: uid=audituser2,cn=users,cn=accounts,dc=example,dc=com
-
replace: modifiersname
modifiersname: uid=admin,cn=users,cn=accounts,dc=example,dc=com
-
replace: modifytimestamp
modifytimestamp: 20140205152349Z
-
replace: entryusn
entryusn: 8842
  • Created name can be seen in logs creatorsName: uid=admin,cn=users,cn=accounts,dc=example,dc=com. Similar logs are written in IPA replica server.
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.