Home / server / Questions / 514906
Accepted
B14D3
Asked: 2013-06-12 03:06:40 +0800 CST

Is there way to detect and track the changes made to OpenLDAP

  • 772

I'm testing some solution with OpenLDAP. I running test box with openldap server and checking functionalities, testing solution etc.

I'm wondering is there a way to track changes made to LDAP database. Some kind of changelog and if there is that kind of functionality how to enable it in Centos with OpenLDAP server 2.4

linux

2 Answers

  1. Best Answer

    Yes there is a way. You need to add the the auditlog overlay and then configure it. Below are examples of the overlay and the configuration (bottom). This will just show changes made by any user:

    --SNIPPET OF cn=admin base--

    # module{0}, config
    dn: cn=module{0},cn=config
    objectClass: olcModuleList
    cn: module{0}
    olcModulePath: /usr/lib64/openldap
    olcModuleLoad: {0}accesslog.la
    olcModuleLoad: {1}syncprov.la
    olcModuleLoad: {2}back_bdb.la
    olcModuleLoad: {3}auditlog.la #THIS IS THE ONE YOU NEED

    # {1}auditlog, {2}bdb, config
    dn: olcOverlay={1}auditlog,olcDatabase={2}bdb,cn=config
    objectClass: olcOverlayConfig
    objectClass: olcAuditlogConfig
    olcOverlay: {1}auditlog
    olcAuditlogFile: /opt/ldap/logs/auditlog.log

    ---------------------------------------------------

    To enable via ldapmodify/add:

    ldapmodify -x -D "cn=admin,cn=config" -W
    dn: cn=module{0},cn=config
    changetype: modify
    add: olcModuleList
    olcModuleLoad: auditlog.la

    ldapadd -x -D "cn=admin,cn=config" -W
    dn: olcOverlay={1}auditlog,olcDatabase={2}bdb,cn=config
    objectClass: olcOverlayConfig
    objectClass: olcAuditlogConfig
    olcOverlay: auditlog
    olcAuditlogFile: /opt/ldap/logs/auditlog.log

    • 4

  2. How about using slapcat to dump the database, then use some version control system like git to track the changes? That way you can always restore any state that you dumped with slapcat.

    • 1