Re: LDAP Audit Logging

[Howard Chu <hyc@symas.com>]

Howard Chu wrote:

> objectclass AuditAdd - sup AuditObject
>   must: AddEntry
>  it would be nice if the entry itself could just be included inline, 
> to keep the entire audit entry human-readable, but I suspect it would 
> be more practical to store the LDIF or BER of the entry in a separate 
> attribute. My original implementation added this stuff inline.
>
> objectclass AuditModify - sup AuditObject
>  must: modification
>
> attribute modification -
> ( + | - | = ) attributeDescription $ value

Of course we could just collapse AuditAdd into AuditModify. In the 
interest of brevity/efficiency I would omit the attributeDescription on 
subsequent values when providing multiple values for an attribute. To 
avoid problems with value uniqueness I'd add an index to each value. So

attribute mod
 ( + | - | = ) index # attributeDescription $ value

e.g., adding an LDAP entry

dn: cn=tester,o=example.com
objectclass: person
cn: tester
cn: beta tester
sn: tester
sn: beta tester
telephoneNumber: +1-818-555-4321
telephoneNumber: +1-408-867-5309
telephoneNumber: +353-1-554-5554

could yield a log entry

dn: requestStart=200411011230326543,cn=auditlog
objectclass: auditModify
requestDN: cn=tester,o=example.com
requestStart: 200411011230326543
requestEnd: 200411011230326799
requestType: Add
sessionID: 42
requestResult: 0
mod: +0# objectclasss $ person
mod: +1# cn $ tester
mod: +2# $ beta tester
mod: +3# sn $ tester
mod: +4# $ beta tester
mod: +5# telephoneNumber $ +1-818-555-4321
mod: +6# $ +1-818-555-4321
mod: +7# $ +353-1-554-5554

(plus whatever operational attributes are attached/logged)

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support