1 /* accesslog.c - log operations for audit/history purposes */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2005 The OpenLDAP Foundation.
6 * Portions copyright 2004-2005 Symas Corporation.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted only as authorized by the OpenLDAP
13 * A copy of this license is available in the file LICENSE in the
14 * top-level directory of the distribution or, alternatively, at
15 * <http://www.OpenLDAP.org/license.html>.
18 * This work was initially developed by Howard Chu for inclusion in
24 #ifdef SLAPD_OVER_ACCESSLOG
28 #include <ac/string.h>
36 #define LOG_OP_ADD 0x001
37 #define LOG_OP_DELETE 0x002
38 #define LOG_OP_MODIFY 0x004
39 #define LOG_OP_MODRDN 0x008
40 #define LOG_OP_COMPARE 0x010
41 #define LOG_OP_SEARCH 0x020
42 #define LOG_OP_BIND 0x040
43 #define LOG_OP_UNBIND 0x080
44 #define LOG_OP_ABANDON 0x100
45 #define LOG_OP_EXTENDED 0x200
46 #define LOG_OP_UNKNOWN 0x400
48 #define LOG_OP_WRITES (LOG_OP_ADD|LOG_OP_DELETE|LOG_OP_MODIFY|LOG_OP_MODRDN)
49 #define LOG_OP_READS (LOG_OP_COMPARE|LOG_OP_SEARCH)
50 #define LOG_OP_SESSION (LOG_OP_BIND|LOG_OP_UNBIND|LOG_OP_ABANDON)
51 #define LOG_OP_ALL (LOG_OP_READS|LOG_OP_WRITES|LOG_OP_SESSION| \
52 LOG_OP_EXTENDED|LOG_OP_UNKNOWN)
54 typedef struct log_info {
61 ldap_pvt_thread_mutex_t li_op_mutex;
62 ldap_pvt_thread_mutex_t li_log_mutex;
65 static ConfigDriver log_cf_gen;
74 static ConfigTable log_cfats[] = {
75 { "logdb", "suffix", 2, 2, 0, ARG_DN|ARG_MAGIC|LOG_DB,
76 log_cf_gen, "( OLcfgOvAt:4.1 NAME 'olcAccessLogDB' "
77 "DESC 'Suffix of database for log content' "
78 "SUP distinguishedName SINGLE-VALUE )", NULL, NULL },
79 { "logops", "op|writes|reads|session|all", 2, 0, 0,
81 log_cf_gen, "( OLcfgOvAt:4.2 NAME 'olcAccessLogOps' "
82 "DESC 'Operation types to log' "
83 "EQUALITY caseIgnoreMatch "
84 "SYNTAX OMsDirectoryString )", NULL, NULL },
85 { "logpurge", "age> <interval", 3, 3, 0, ARG_MAGIC|LOG_PURGE,
86 log_cf_gen, "( OLcfgOvAt:4.3 NAME 'olcAccessLogPurge' "
87 "DESC 'Log cleanup parameters' "
88 "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
89 { "logsuccess", NULL, 2, 2, 0, ARG_MAGIC|ARG_ON_OFF|LOG_SUCCESS,
90 log_cf_gen, "( OLcfgOvAt:4.4 NAME 'olcAccessLogSuccess' "
91 "DESC 'Log successful ops only' "
92 "SYNTAX OMsBoolean SINGLE-VALUE )", NULL, NULL },
96 static ConfigOCs log_cfocs[] = {
98 "NAME 'olcAccessLogConfig' "
99 "DESC 'Access log configuration' "
100 "SUP olcOverlayConfig "
101 "MUST olcAccessLogDB "
102 "MAY ( olcAccessLogOps $ olcAccessLogPurge $ olcAccessLogSuccess ) )",
103 Cft_Overlay, log_cfats },
107 static slap_verbmasks logops[] = {
108 { BER_BVC("all"), LOG_OP_ALL },
109 { BER_BVC("writes"), LOG_OP_WRITES },
110 { BER_BVC("session"), LOG_OP_SESSION },
111 { BER_BVC("reads"), LOG_OP_READS },
112 { BER_BVC("add"), LOG_OP_ADD },
113 { BER_BVC("delete"), LOG_OP_DELETE },
114 { BER_BVC("modify"), LOG_OP_MODIFY },
115 { BER_BVC("modrdn"), LOG_OP_MODRDN },
116 { BER_BVC("compare"), LOG_OP_COMPARE },
117 { BER_BVC("search"), LOG_OP_SEARCH },
118 { BER_BVC("bind"), LOG_OP_BIND },
119 { BER_BVC("unbind"), LOG_OP_UNBIND },
120 { BER_BVC("abandon"), LOG_OP_ABANDON },
121 { BER_BVC("extended"), LOG_OP_EXTENDED },
122 { BER_BVC("unknown"), LOG_OP_UNKNOWN },
126 /* Start with "add" in logops */
144 static ObjectClass *log_ocs[LOG_EN__COUNT];
146 #define LOG_SCHEMA_ROOT "1.3.6.1.4.1.4203.666.11.5"
148 #define LOG_SCHEMA_AT LOG_SCHEMA_ROOT ".1"
149 #define LOG_SCHEMA_OC LOG_SCHEMA_ROOT ".2"
151 static AttributeDescription *ad_reqDN, *ad_reqStart, *ad_reqEnd, *ad_reqType,
152 *ad_reqSession, *ad_reqResult, *ad_reqAuthzID, *ad_reqControls,
153 *ad_reqRespControls, *ad_reqMethod, *ad_reqAssertion, *ad_reqNewRDN,
154 *ad_reqNewSuperior, *ad_reqDeleteOldRDN, *ad_reqMod,
155 *ad_reqScope, *ad_reqFilter, *ad_reqAttr, *ad_reqEntries,
156 *ad_reqSizeLimit, *ad_reqTimeLimit, *ad_reqAttrsOnly, *ad_reqData,
157 *ad_reqId, *ad_reqMessage;
159 static AttributeDescription *ad_oldest;
164 AttributeDescription **ad;
166 { "( " LOG_SCHEMA_AT ".1 NAME 'reqDN' "
167 "DESC 'Target DN of request' "
168 "EQUALITY distinguishedNameMatch "
170 "SINGLE-VALUE )", &ad_reqDN },
171 { "( " LOG_SCHEMA_AT ".2 NAME 'reqStart' "
172 "DESC 'Start time of request' "
173 "EQUALITY generalizedTimeMatch "
174 "ORDERING generalizedTimeOrderingMatch "
175 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
176 "SINGLE-VALUE )", &ad_reqStart },
177 { "( " LOG_SCHEMA_AT ".3 NAME 'reqEnd' "
178 "DESC 'End time of request' "
179 "EQUALITY generalizedTimeMatch "
180 "ORDERING generalizedTimeOrderingMatch "
181 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
182 "SINGLE-VALUE )", &ad_reqEnd },
183 { "( " LOG_SCHEMA_AT ".4 NAME 'reqType' "
184 "DESC 'Type of request' "
185 "EQUALITY caseIgnoreMatch "
186 "SYNTAX OMsDirectoryString "
187 "SINGLE-VALUE )", &ad_reqType },
188 { "( " LOG_SCHEMA_AT ".5 NAME 'reqSession' "
189 "DESC 'Session ID of request' "
190 "EQUALITY caseIgnoreMatch "
191 "SYNTAX OMsDirectoryString "
192 "SINGLE-VALUE )", &ad_reqSession },
193 { "( " LOG_SCHEMA_AT ".6 NAME 'reqResult' "
194 "DESC 'Result code of request' "
195 "EQUALITY integerMatch "
197 "SINGLE-VALUE )", &ad_reqResult },
198 { "( " LOG_SCHEMA_AT ".7 NAME 'reqAuthzID' "
199 "DESC 'Authorization ID of requestor' "
200 "EQUALITY distinguishedNameMatch "
202 "SINGLE-VALUE )", &ad_reqAuthzID },
203 { "( " LOG_SCHEMA_AT ".8 NAME 'reqControls' "
204 "DESC 'Request controls' "
205 "SYNTAX OMsOctetString )", &ad_reqControls },
206 { "( " LOG_SCHEMA_AT ".9 NAME 'reqRespControls' "
207 "DESC 'Response controls of request' "
208 "SYNTAX OMsOctetString )", &ad_reqRespControls },
209 { "( " LOG_SCHEMA_AT ".10 NAME 'reqMethod' "
210 "DESC 'Bind method of request' "
211 "EQUALITY caseIgnoreMatch "
212 "SYNTAX OMsDirectoryString "
213 "SINGLE-VALUE )", &ad_reqMethod },
214 { "( " LOG_SCHEMA_AT ".11 NAME 'reqAssertion' "
215 "DESC 'Compare Assertion of request' "
216 "SYNTAX OMsDirectoryString "
217 "SINGLE-VALUE )", &ad_reqAssertion },
218 { "( " LOG_SCHEMA_AT ".12 NAME 'reqNewRDN' "
219 "DESC 'New RDN of request' "
220 "EQUALITY distinguishedNameMatch "
222 "SINGLE-VALUE )", &ad_reqNewRDN },
223 { "( " LOG_SCHEMA_AT ".13 NAME 'reqNewSuperior' "
224 "DESC 'New superior DN of request' "
225 "EQUALITY distinguishedNameMatch "
227 "SINGLE-VALUE )", &ad_reqNewSuperior },
228 { "( " LOG_SCHEMA_AT ".14 NAME 'reqDeleteOldRDN' "
229 "DESC 'Delete old RDN' "
231 "SINGLE-VALUE )", &ad_reqDeleteOldRDN },
232 { "( " LOG_SCHEMA_AT ".15 NAME 'reqMod' "
233 "DESC 'Modifications of request' "
234 "SYNTAX OMsDirectoryString "
235 "EQUALITY caseIgnoreMatch "
236 "SUBSTR caseIgnoreSubstringsMatch )", &ad_reqMod },
237 { "( " LOG_SCHEMA_AT ".16 NAME 'reqScope' "
238 "DESC 'Scope of request' "
239 "SYNTAX OMsDirectoryString "
240 "SINGLE-VALUE )", &ad_reqScope },
241 { "( " LOG_SCHEMA_AT ".17 NAME 'reqFilter' "
242 "DESC 'Filter of request' "
243 "SYNTAX OMsDirectoryString "
244 "SINGLE-VALUE )", &ad_reqFilter },
245 { "( " LOG_SCHEMA_AT ".18 NAME 'reqAttr' "
246 "DESC 'Attributes of request' "
247 "SYNTAX OMsDirectoryString )", &ad_reqAttr },
248 { "( " LOG_SCHEMA_AT ".19 NAME 'reqEntries' "
249 "DESC 'Number of entries returned' "
251 "SINGLE-VALUE )", &ad_reqEntries },
252 { "( " LOG_SCHEMA_AT ".20 NAME 'reqSizeLimit' "
253 "DESC 'Size limit of request' "
255 "SINGLE-VALUE )", &ad_reqSizeLimit },
256 { "( " LOG_SCHEMA_AT ".21 NAME 'reqTimeLimit' "
257 "DESC 'Time limit of request' "
259 "SINGLE-VALUE )", &ad_reqTimeLimit },
260 { "( " LOG_SCHEMA_AT ".22 NAME 'reqAttrsOnly' "
261 "DESC 'Attributes and values of request' "
263 "SINGLE-VALUE )", &ad_reqAttrsOnly },
264 { "( " LOG_SCHEMA_AT ".23 NAME 'reqData' "
265 "DESC 'Data of extended request' "
266 "SYNTAX OMsOctetString "
267 "SINGLE-VALUE )", &ad_reqData },
268 { "( " LOG_SCHEMA_AT ".24 NAME 'reqId' "
269 "DESC 'ID of Request to Abandon' "
271 "SINGLE-VALUE )", &ad_reqId },
272 { "( " LOG_SCHEMA_AT ".25 NAME 'reqMessage' "
273 "DESC 'Error text of request' "
274 "SYNTAX OMsDirectoryString "
275 "SINGLE-VALUE )", &ad_reqMessage },
277 { "( " LOG_SCHEMA_AT ".26 NAME 'auditOldest' "
278 "DESC 'Oldest record in this branch' "
279 "EQUALITY generalizedTimeMatch "
280 "ORDERING generalizedTimeOrderingMatch "
281 "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
282 "SINGLE-VALUE )", &ad_oldest },
292 { "( " LOG_SCHEMA_OC ".0 NAME 'auditContainer' "
293 "SUP top STRUCTURAL "
295 "MAY cn )", &oc_container },
297 { "( " LOG_SCHEMA_OC ".1 NAME 'auditObject' "
298 "DESC 'OpenLDAP request auditing' "
299 "SUP top STRUCTURAL "
300 "MUST ( reqStart $ reqType $ reqSession ) "
301 "MAY ( reqDN $ reqAuthzID $ reqControls $ reqRespControls $ reqEnd $ "
302 "reqResult $ reqMessage ) )", &log_ocs[LOG_EN_UNBIND] },
303 { "( " LOG_SCHEMA_OC ".2 NAME 'auditReadObject' "
304 "DESC 'OpenLDAP read request record' "
305 "SUP auditObject STRUCTURAL )", NULL },
306 { "( " LOG_SCHEMA_OC ".3 NAME 'auditWriteObject' "
307 "DESC 'OpenLDAP write request record' "
308 "SUP auditObject STRUCTURAL )", &log_ocs[LOG_EN_DELETE] },
309 { "( " LOG_SCHEMA_OC ".4 NAME 'auditAbandon' "
310 "DESC 'Abandon operation' "
311 "SUP auditObject STRUCTURAL "
312 "MUST reqId )", &log_ocs[LOG_EN_ABANDON] },
313 { "( " LOG_SCHEMA_OC ".5 NAME 'auditAdd' "
314 "DESC 'Add operation' "
315 "SUP auditWriteObject STRUCTURAL "
316 "MUST reqMod )", &log_ocs[LOG_EN_ADD] },
317 { "( " LOG_SCHEMA_OC ".6 NAME 'auditBind' "
318 "DESC 'Bind operation' "
319 "SUP auditObject STRUCTURAL "
320 "MUST reqMethod )", &log_ocs[LOG_EN_BIND] },
321 { "( " LOG_SCHEMA_OC ".7 NAME 'auditCompare' "
322 "DESC 'Compare operation' "
323 "SUP auditReadObject STRUCTURAL "
324 "MUST reqAssertion )", &log_ocs[LOG_EN_COMPARE] },
325 { "( " LOG_SCHEMA_OC ".8 NAME 'auditModify' "
326 "DESC 'Modify operation' "
327 "SUP auditWriteObject STRUCTURAL "
328 "MUST reqMod )", &log_ocs[LOG_EN_MODIFY] },
329 { "( " LOG_SCHEMA_OC ".9 NAME 'auditModRDN' "
330 "DESC 'ModRDN operation' "
331 "SUP auditWriteObject STRUCTURAL "
332 "MUST ( reqNewRDN $ reqDeleteOldRDN ) "
333 "MAY reqNewSuperior )", &log_ocs[LOG_EN_MODRDN] },
334 { "( " LOG_SCHEMA_OC ".10 NAME 'auditSearch' "
335 "DESC 'Search operation' "
336 "SUP auditReadObject STRUCTURAL "
337 "MUST ( reqScope $ reqAttrsonly ) "
338 "MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $ "
339 "reqTimeLimit ) )", &log_ocs[LOG_EN_SEARCH] },
340 { "( " LOG_SCHEMA_OC ".11 NAME 'auditExtended' "
341 "DESC 'Extended operation' "
342 "SUP auditObject STRUCTURAL "
343 "MAY reqData )", &log_ocs[LOG_EN_EXTENDED] },
347 #define RDNEQ "reqStart="
349 /* Our time intervals are of the form [ddd+]hh:mm[:ss]
350 * If a field is present, it must be two digits. (Except for
351 * days, which can be arbitrary width.)
354 log_age_parse(char *agestr)
360 t1 = strtol( agestr, &endptr, 10 );
361 /* Is there a days delimiter? */
362 if ( *endptr == '+' ) {
363 /* 32 bit time only covers about 68 years */
364 if ( t1 < 0 || t1 > 25000 )
368 } else if ( *endptr != ':' ) {
369 /* No valid delimiter found, fail */
376 /* if there's a delimiter, it can only be a colon */
377 if ( agestr[2] && agestr[2] != ':' )
380 /* If we're at the end of the string, and we started with days,
381 * fail because we expected to find minutes too.
383 if ( gotdays && !agestr[2] )
395 /* last field can only be seconds */
396 if ( agestr[2] && ( agestr[2] != ':' || !gotdays ))
406 t1 += atoi( agestr );
412 log_age_unparse( int age, struct berval *agebv )
428 ptr += sprintf( ptr, "%d+", dd );
429 ptr += sprintf( ptr, "%02d:%02d", hh, mm );
431 ptr += sprintf( ptr, ":%02d", ss );
433 agebv->bv_len = ptr - agebv->bv_val;
436 static slap_callback nullsc = { NULL, NULL, NULL, NULL };
438 #define PURGE_INCREMENT 100
440 typedef struct purge_data {
448 log_old_lookup( Operation *op, SlapReply *rs )
450 purge_data *pd = op->o_callback->sc_private;
452 if ( rs->sr_type != REP_SEARCH) return 0;
454 if ( pd->used >= pd->slots ) {
455 pd->slots += PURGE_INCREMENT;
456 pd->dn = ch_realloc( pd->dn, pd->slots * sizeof( struct berval ));
457 pd->ndn = ch_realloc( pd->ndn, pd->slots * sizeof( struct berval ));
459 ber_dupbv( &pd->dn[pd->used], &rs->sr_entry->e_name );
460 ber_dupbv( &pd->ndn[pd->used], &rs->sr_entry->e_nname );
465 /* Periodically search for old entries in the log database and delete them */
467 accesslog_purge( void *ctx, void *arg )
469 struct re_s *rtask = arg;
470 struct log_info *li = rtask->arg;
472 Connection conn = {0};
473 OperationBuffer opbuf;
474 Operation *op = (Operation *) &opbuf;
475 SlapReply rs = {REP_RESULT};
476 slap_callback cb = { NULL, log_old_lookup, NULL, NULL };
478 AttributeAssertion ava = {0};
480 char timebuf[LDAP_LUTIL_GENTIME_BUFSIZE];
481 time_t old = slap_get_time();
483 connection_fake_init( &conn, op, ctx );
485 f.f_choice = LDAP_FILTER_LE;
489 ava.aa_desc = ad_reqStart;
490 ava.aa_value.bv_val = timebuf;
491 ava.aa_value.bv_len = sizeof(timebuf);
494 slap_timestamp( &old, &ava.aa_value );
496 op->o_tag = LDAP_REQ_SEARCH;
497 op->o_bd = li->li_db;
498 op->o_dn = li->li_db->be_rootdn;
499 op->o_ndn = li->li_db->be_rootndn;
500 op->o_req_dn = li->li_db->be_suffix[0];
501 op->o_req_ndn = li->li_db->be_nsuffix[0];
502 op->o_callback = &cb;
503 op->ors_scope = LDAP_SCOPE_ONELEVEL;
504 op->ors_deref = LDAP_DEREF_NEVER;
505 op->ors_tlimit = SLAP_NO_LIMIT;
506 op->ors_slimit = SLAP_NO_LIMIT;
508 filter2bv_x( op, &f, &op->ors_filterstr );
509 op->ors_attrs = slap_anlist_no_attrs;
510 op->ors_attrsonly = 1;
514 op->o_bd->be_search( op, &rs );
515 op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
520 op->o_tag = LDAP_REQ_DELETE;
521 op->o_callback = &nullsc;
523 for (i=0; i<pd.used; i++) {
524 op->o_req_dn = pd.dn[i];
525 op->o_req_ndn = pd.ndn[i];
526 op->o_bd->be_delete( op, &rs );
527 ch_free( pd.ndn[i].bv_val );
528 ch_free( pd.dn[i].bv_val );
534 ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
535 ldap_pvt_runqueue_stoptask( &slapd_rq, rtask );
536 ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
542 log_cf_gen(ConfigArgs *c)
544 slap_overinst *on = (slap_overinst *)c->bi;
545 struct log_info *li = on->on_bi.bi_private;
547 slap_mask_t tmask = 0;
548 char agebuf[2*STRLENOF("ddddd+hh:mm:ss ")];
549 struct berval agebv, cyclebv;
552 case SLAP_CONFIG_EMIT:
555 value_add( &c->rvalue_vals, li->li_db->be_suffix );
556 value_add( &c->rvalue_nvals, li->li_db->be_nsuffix );
559 rc = mask_to_verbs( logops, li->li_ops, &c->rvalue_vals );
562 agebv.bv_val = agebuf;
563 log_age_unparse( li->li_age, &agebv );
564 agebv.bv_val[agebv.bv_len] = ' ';
566 cyclebv.bv_val = agebv.bv_val + agebv.bv_len;
567 log_age_unparse( li->li_cycle, &cyclebv );
568 agebv.bv_len += cyclebv.bv_len;
569 value_add_one( &c->rvalue_vals, &agebv );
572 if ( li->li_success )
573 c->value_int = li->li_success;
579 case LDAP_MOD_DELETE:
582 /* noop. this should always be a valid backend. */
588 rc = verbs_to_mask( 1, &c->line, logops, &tmask );
590 li->li_ops &= ~tmask;
595 struct re_s *re = li->li_task;
597 if ( ldap_pvt_runqueue_isrunning( &slapd_rq, re ))
598 ldap_pvt_runqueue_stoptask( &slapd_rq, re );
599 ldap_pvt_runqueue_remove( &slapd_rq, re );
612 li->li_db = select_backend( &c->value_ndn, 0, 0 );
614 sprintf( c->msg, "<%s> no matching backend found for suffix",
616 Debug( LDAP_DEBUG_ANY, "%s: %s \"%s\"\n",
617 c->log, c->msg, c->value_dn.bv_val );
620 ch_free( c->value_dn.bv_val );
621 ch_free( c->value_ndn.bv_val );
624 rc = verbs_to_mask( c->argc, c->argv, logops, &tmask );
629 li->li_age = log_age_parse( c->argv[1] );
630 if ( li->li_age == -1 ) {
633 li->li_cycle = log_age_parse( c->argv[2] );
634 if ( li->li_cycle == -1 ) {
636 } else if ( slapMode & SLAP_SERVER_MODE ) {
637 struct re_s *re = li->li_task;
639 re->interval.tv_sec = li->li_cycle;
641 li->li_task = ldap_pvt_runqueue_insert( &slapd_rq,
642 li->li_cycle, accesslog_purge, li,
643 "accesslog_purge", li->li_db ?
644 li->li_db->be_suffix[0].bv_val :
645 c->be->be_suffix[0].bv_val );
650 li->li_success = c->value_int;
658 static Entry *accesslog_entry( Operation *op, int logop ) {
659 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
660 log_info *li = on->on_bi.bi_private;
662 char rdnbuf[STRLENOF(RDNEQ)+LDAP_LUTIL_GENTIME_BUFSIZE+8];
663 char nrdnbuf[STRLENOF(RDNEQ)+LDAP_LUTIL_GENTIME_BUFSIZE+8];
665 struct berval rdn, nrdn, timestamp, ntimestamp, bv;
666 slap_verbmasks *lo = logops+logop+EN_OFFSET;
668 Entry *e = ch_calloc( 1, sizeof(Entry) );
670 strcpy( rdnbuf, RDNEQ );
672 strcpy( nrdnbuf, RDNEQ );
673 nrdn.bv_val = nrdnbuf;
675 timestamp.bv_val = rdnbuf+STRLENOF(RDNEQ);
676 timestamp.bv_len = sizeof(rdnbuf) - STRLENOF(RDNEQ);
677 slap_timestamp( &op->o_time, ×tamp );
678 sprintf( timestamp.bv_val + timestamp.bv_len-1, ".%06dZ", op->o_tincr );
679 timestamp.bv_len += 7;
681 rdn.bv_len = STRLENOF(RDNEQ)+timestamp.bv_len;
682 ad_reqStart->ad_type->sat_equality->smr_normalize(
683 SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, ad_reqStart->ad_type->sat_syntax,
684 ad_reqStart->ad_type->sat_equality, ×tamp, &ntimestamp,
687 strcpy( nrdn.bv_val + STRLENOF(RDNEQ), ntimestamp.bv_val );
688 nrdn.bv_len = STRLENOF(RDNEQ)+ntimestamp.bv_len;
689 build_new_dn( &e->e_name, li->li_db->be_suffix, &rdn, NULL );
690 build_new_dn( &e->e_nname, li->li_db->be_nsuffix, &nrdn, NULL );
692 attr_merge_one( e, slap_schema.si_ad_objectClass,
693 &log_ocs[logop]->soc_cname, NULL );
694 attr_merge_one( e, slap_schema.si_ad_structuralObjectClass,
695 &log_ocs[logop]->soc_cname, NULL );
696 attr_merge_one( e, ad_reqStart, ×tamp, &ntimestamp );
697 op->o_tmpfree( ntimestamp.bv_val, op->o_tmpmemctx );
699 /* Exops have OID appended */
700 if ( logop == LOG_EN_EXTENDED ) {
701 bv.bv_len = lo->word.bv_len + op->ore_reqoid.bv_len + 2;
702 bv.bv_val = ch_malloc( bv.bv_len + 1 );
703 AC_MEMCPY( bv.bv_val, lo->word.bv_val, lo->word.bv_len );
704 bv.bv_val[lo->word.bv_len] = '{';
705 AC_MEMCPY( bv.bv_val+lo->word.bv_len+1, op->ore_reqoid.bv_val,
706 op->ore_reqoid.bv_len );
707 bv.bv_val[bv.bv_len-1] = '}';
708 bv.bv_val[bv.bv_len] = '\0';
709 attr_merge_one( e, ad_reqType, &bv, NULL );
711 attr_merge_one( e, ad_reqType, &lo->word, NULL );
714 rdn.bv_len = sprintf( rdn.bv_val, "%lu", op->o_connid );
715 attr_merge_one( e, ad_reqSession, &rdn, NULL );
717 if ( BER_BVISNULL( &op->o_dn ))
718 attr_merge_one( e, ad_reqAuthzID, (struct berval *)&slap_empty_bv,
719 (struct berval *)&slap_empty_bv );
721 attr_merge_one( e, ad_reqAuthzID, &op->o_dn, &op->o_ndn );
723 /* FIXME: need to add reqControls and reqRespControls */
728 static struct berval scopes[] = {
732 BER_BVC("subordinate")
735 static struct berval simple = BER_BVC("SIMPLE");
737 static int accesslog_response(Operation *op, SlapReply *rs) {
738 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
739 log_info *li = on->on_bi.bi_private;
740 Attribute *a, *last_attr;
748 char timebuf[LDAP_LUTIL_GENTIME_BUFSIZE+8];
753 SlapReply rs2 = {REP_RESULT};
755 if ( rs->sr_type != REP_RESULT && rs->sr_type != REP_EXTENDED )
756 return SLAP_CB_CONTINUE;
758 switch ( op->o_tag ) {
759 case LDAP_REQ_ADD: logop = LOG_EN_ADD; break;
760 case LDAP_REQ_DELETE: logop = LOG_EN_DELETE; break;
761 case LDAP_REQ_MODIFY: logop = LOG_EN_MODIFY; break;
762 case LDAP_REQ_MODRDN: logop = LOG_EN_MODRDN; break;
763 case LDAP_REQ_COMPARE: logop = LOG_EN_COMPARE; break;
764 case LDAP_REQ_SEARCH: logop = LOG_EN_SEARCH; break;
765 case LDAP_REQ_BIND: logop = LOG_EN_BIND; break;
766 case LDAP_REQ_EXTENDED: logop = LOG_EN_EXTENDED; break;
767 default: /* unknown operation type */
768 logop = LOG_EN_UNKNOWN; break;
769 } /* Unbind and Abandon never reach here */
771 lo = logops+logop+EN_OFFSET;
772 if ( !( li->li_ops & lo->mask ))
773 return SLAP_CB_CONTINUE;
775 if ( lo->mask & LOG_OP_WRITES ) {
776 ldap_pvt_thread_mutex_lock( &li->li_log_mutex );
777 ldap_pvt_thread_mutex_unlock( &li->li_op_mutex );
780 if ( li->li_success && rs->sr_err != LDAP_SUCCESS )
783 slap_op_time( &endtime, &nop );
785 e = accesslog_entry( op, logop );
788 bv.bv_len = sizeof(timebuf);
789 slap_timestamp( &endtime, &bv );
790 sprintf( bv.bv_val + bv.bv_len-1, ".%06dZ", nop );
793 attr_merge_normalize_one( e, ad_reqEnd, &bv, op->o_tmpmemctx );
795 attr_merge_one( e, ad_reqDN, &op->o_req_dn, &op->o_req_ndn );
798 ber_str2bv( rs->sr_text, 0, 0, &bv );
799 attr_merge_one( e, ad_reqMessage, &bv, NULL );
801 bv.bv_len = sprintf( timebuf, "%d", rs->sr_err );
804 attr_merge_one( e, ad_reqResult, &bv, NULL );
806 last_attr = attr_find( e->e_attrs, ad_reqResult );
810 /* count all the vals */
812 for ( a=op->ora_e->e_attrs; a; a=a->a_next ) {
814 for (b=a->a_vals; !BER_BVISNULL( b ); b++) {
819 vals = ch_malloc( (i+1) * sizeof( struct berval ));
821 for ( a=op->ora_e->e_attrs; a; a=a->a_next ) {
823 for (b=a->a_vals; !BER_BVISNULL( b ); b++,i++) {
824 vals[i].bv_len = a->a_desc->ad_cname.bv_len + b->bv_len +3;
825 vals[i].bv_val = ch_malloc( vals[i].bv_len+1 );
826 ptr = lutil_strcopy( vals[i].bv_val,
827 a->a_desc->ad_cname.bv_val );
831 AC_MEMCPY( ptr, b->bv_val, b->bv_len );
832 vals[i].bv_val[vals[i].bv_len] = '\0';
836 vals[i].bv_val = NULL;
838 a = attr_alloc( ad_reqMod );
841 last_attr->a_next = a;
845 /* needs nothing else */
849 /* count all the mods */
851 for ( m=op->orm_modlist; m; m=m->sml_next ) {
852 if ( m->sml_values ) {
853 for (b=m->sml_values; !BER_BVISNULL( b ); b++) {
856 } else if ( m->sml_op == LDAP_MOD_DELETE ) {
860 vals = ch_malloc( (i+1) * sizeof( struct berval ));
862 for ( m=op->orm_modlist; m; m=m->sml_next ) {
863 if ( m->sml_values ) {
864 for (b=m->sml_values; !BER_BVISNULL( b ); b++,i++) {
866 vals[i].bv_len = m->sml_desc->ad_cname.bv_len + b->bv_len +3;
867 vals[i].bv_val = ch_malloc( vals[i].bv_len+1 );
868 ptr = lutil_strcopy( vals[i].bv_val,
869 m->sml_desc->ad_cname.bv_val );
871 switch( m->sml_op ) {
872 case LDAP_MOD_ADD: c_op = '+'; break;
873 case LDAP_MOD_DELETE: c_op = '-'; break;
874 case LDAP_MOD_REPLACE: c_op = '='; break;
875 case LDAP_MOD_INCREMENT: c_op = '#'; break;
877 /* unknown op. there shouldn't be any of these. we
878 * don't know what to do with it, but we shouldn't just
881 default: c_op = '?'; break;
885 AC_MEMCPY( ptr, b->bv_val, b->bv_len );
886 vals[i].bv_val[vals[i].bv_len] = '\0';
888 } else if ( m->sml_op == LDAP_MOD_DELETE ) {
889 vals[i].bv_len = m->sml_desc->ad_cname.bv_len + 2;
890 vals[i].bv_val = ch_malloc( vals[i].bv_len+1 );
891 ptr = lutil_strcopy( vals[i].bv_val,
892 m->sml_desc->ad_cname.bv_val );
899 vals[i].bv_val = NULL;
901 a = attr_alloc( ad_reqMod );
904 last_attr->a_next = a;
908 attr_merge_one( e, ad_reqNewRDN, &op->orr_newrdn, &op->orr_nnewrdn );
909 attr_merge_one( e, ad_reqDeleteOldRDN, op->orr_deleteoldrdn ?
910 (struct berval *)&slap_true_bv : (struct berval *)&slap_false_bv,
912 if ( op->orr_newSup ) {
913 attr_merge_one( e, ad_reqNewSuperior, op->orr_newSup, op->orr_nnewSup );
918 bv.bv_len = op->orc_ava->aa_desc->ad_cname.bv_len + 1 +
919 op->orc_ava->aa_value.bv_len;
920 bv.bv_val = op->o_tmpalloc( bv.bv_len+1, op->o_tmpmemctx );
921 ptr = lutil_strcopy( bv.bv_val, op->orc_ava->aa_desc->ad_cname.bv_val );
923 AC_MEMCPY( ptr, op->orc_ava->aa_value.bv_val, op->orc_ava->aa_value.bv_len );
924 bv.bv_val[bv.bv_len] = '\0';
925 attr_merge_one( e, ad_reqAssertion, &bv, NULL );
926 op->o_tmpfree( bv.bv_val, op->o_tmpmemctx );
930 attr_merge_one( e, ad_reqScope, &scopes[op->ors_scope], NULL );
931 attr_merge_one( e, ad_reqAttrsOnly, op->ors_attrsonly ?
932 (struct berval *)&slap_true_bv : (struct berval *)&slap_false_bv,
934 if ( !BER_BVISEMPTY( &op->ors_filterstr ))
935 attr_merge_one( e, ad_reqFilter, &op->ors_filterstr, NULL );
936 if ( op->ors_attrs ) {
938 for (i=0; !BER_BVISNULL(&op->ors_attrs[i].an_name );i++)
940 vals = op->o_tmpalloc( (i+1) * sizeof(struct berval),
942 for (i=0; !BER_BVISNULL(&op->ors_attrs[i].an_name );i++)
943 vals[i] = op->ors_attrs[i].an_name;
944 vals[i].bv_val = NULL;
946 attr_merge( e, ad_reqAttr, vals, NULL );
947 op->o_tmpfree( vals, op->o_tmpmemctx );
950 bv.bv_len = sprintf( bv.bv_val, "%d", rs->sr_nentries );
951 attr_merge_one( e, ad_reqEntries, &bv, NULL );
953 bv.bv_len = sprintf( bv.bv_val, "%d", op->ors_tlimit );
954 attr_merge_one( e, ad_reqTimeLimit, &bv, NULL );
955 /* FIXME: slimit was zeroed by the backends */
959 if ( op->orb_method == LDAP_AUTH_SIMPLE ) {
960 attr_merge_one( e, ad_reqMethod, &simple, NULL );
962 bv.bv_len = STRLENOF("SASL()") + op->orb_tmp_mech.bv_len;
963 bv.bv_val = op->o_tmpalloc( bv.bv_len + 1, op->o_tmpmemctx );
964 ptr = lutil_strcopy( bv.bv_val, "SASL(" );
965 ptr = lutil_strcopy( ptr, op->orb_tmp_mech.bv_val );
968 attr_merge_one( e, ad_reqMethod, &bv, NULL );
969 op->o_tmpfree( bv.bv_val, op->o_tmpmemctx );
973 case LOG_EN_EXTENDED:
974 if ( op->ore_reqdata ) {
975 attr_merge_one( e, ad_reqData, op->ore_reqdata, NULL );
980 /* we don't know its parameters, don't add any */
984 op2.o_hdr = op->o_hdr;
985 op2.o_tag = LDAP_REQ_ADD;
986 op2.o_time = endtime;
988 op2.o_bd = li->li_db;
989 op2.o_dn = li->li_db->be_rootdn;
990 op2.o_ndn = li->li_db->be_rootndn;
991 op2.o_req_dn = e->e_name;
992 op2.o_req_ndn = e->e_nname;
994 op2.o_callback = &nullsc;
996 if (( lo->mask & LOG_OP_WRITES ) && !BER_BVISEMPTY( &op->o_csn )) {
997 slap_queue_csn( &op2, &op->o_csn );
1000 op2.o_bd->be_add( &op2, &rs2 );
1004 ldap_pvt_thread_mutex_unlock( &li->li_log_mutex );
1005 return SLAP_CB_CONTINUE;
1009 accesslog_op_mod( Operation *op, SlapReply *rs )
1011 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1012 log_info *li = on->on_bi.bi_private;
1014 if ( li->li_ops & LOG_OP_WRITES ) {
1015 /* FIXME: this needs to be a recursive mutex to allow
1016 * overlays like refint to keep working.
1018 ldap_pvt_thread_mutex_lock( &li->li_op_mutex );
1020 return SLAP_CB_CONTINUE;
1023 /* unbinds are broadcast to all backends; we only log it if this
1024 * backend was used for the original bind.
1027 accesslog_unbind( Operation *op, SlapReply *rs )
1029 if ( op->o_conn->c_authz_backend == op->o_bd ) {
1030 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1031 log_info *li = on->on_bi.bi_private;
1033 SlapReply rs2 = {REP_RESULT};
1036 if ( !( li->li_ops & LOG_OP_UNBIND ))
1037 return SLAP_CB_CONTINUE;
1039 e = accesslog_entry( op, LOG_EN_UNBIND );
1040 op2.o_hdr = op->o_hdr;
1041 op2.o_tag = LDAP_REQ_ADD;
1042 op2.o_time = op->o_time;
1044 op2.o_bd = li->li_db;
1045 op2.o_dn = li->li_db->be_rootdn;
1046 op2.o_ndn = li->li_db->be_rootndn;
1047 op2.o_req_dn = e->e_name;
1048 op2.o_req_ndn = e->e_nname;
1050 op2.o_callback = &nullsc;
1052 op2.o_bd->be_add( &op2, &rs2 );
1055 return SLAP_CB_CONTINUE;
1059 accesslog_abandon( Operation *op, SlapReply *rs )
1061 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
1062 log_info *li = on->on_bi.bi_private;
1064 SlapReply rs2 = {REP_RESULT};
1069 if ( !op->o_time || !( li->li_ops & LOG_OP_ABANDON ))
1070 return SLAP_CB_CONTINUE;
1072 e = accesslog_entry( op, LOG_EN_ABANDON );
1074 bv.bv_len = sprintf( buf, "%d", op->orn_msgid );
1075 attr_merge_one( e, ad_reqId, &bv, NULL );
1077 op2.o_hdr = op->o_hdr;
1078 op2.o_tag = LDAP_REQ_ADD;
1079 op2.o_time = op->o_time;
1081 op2.o_bd = li->li_db;
1082 op2.o_dn = li->li_db->be_rootdn;
1083 op2.o_ndn = li->li_db->be_rootndn;
1084 op2.o_req_dn = e->e_name;
1085 op2.o_req_ndn = e->e_nname;
1087 op2.o_callback = &nullsc;
1089 op2.o_bd->be_add( &op2, &rs2 );
1092 return SLAP_CB_CONTINUE;
1095 static slap_overinst accesslog;
1102 slap_overinst *on = (slap_overinst *)be->bd_info;
1103 log_info *li = ch_calloc(1, sizeof(log_info));
1105 on->on_bi.bi_private = li;
1106 ldap_pvt_thread_mutex_init( &li->li_op_mutex );
1107 ldap_pvt_thread_mutex_init( &li->li_log_mutex );
1112 accesslog_db_destroy(
1116 slap_overinst *on = (slap_overinst *)be->bd_info;
1117 log_info *li = on->on_bi.bi_private;
1119 ldap_pvt_thread_mutex_destroy( &li->li_log_mutex );
1120 ldap_pvt_thread_mutex_destroy( &li->li_op_mutex );
1122 return LDAP_SUCCESS;
1125 int accesslog_init()
1129 accesslog.on_bi.bi_type = "accesslog";
1130 accesslog.on_bi.bi_db_init = accesslog_db_init;
1131 accesslog.on_bi.bi_db_destroy = accesslog_db_destroy;
1133 accesslog.on_bi.bi_op_add = accesslog_op_mod;
1134 accesslog.on_bi.bi_op_delete = accesslog_op_mod;
1135 accesslog.on_bi.bi_op_modify = accesslog_op_mod;
1136 accesslog.on_bi.bi_op_modrdn = accesslog_op_mod;
1137 accesslog.on_bi.bi_op_unbind = accesslog_unbind;
1138 accesslog.on_bi.bi_op_abandon = accesslog_abandon;
1139 accesslog.on_response = accesslog_response;
1141 accesslog.on_bi.bi_cf_ocs = log_cfocs;
1143 nullsc.sc_response = slap_null_cb;
1145 rc = config_register_schema( log_cfats, log_cfocs );
1146 if ( rc ) return rc;
1148 /* log schema integration */
1149 for ( i=0; lattrs[i].at; i++ ) {
1150 LDAPAttributeType *lat;
1155 lat = ldap_str2attributetype( lattrs[i].at, &code, &err,
1156 LDAP_SCHEMA_ALLOW_ALL );
1158 Debug( LDAP_DEBUG_ANY, "accesslog_init: "
1159 "ldap_str2attributetype failed on %d: %s, %s\n",
1160 i, ldap_scherr2str(code), err );
1163 code = at_add( lat, 0, &at, &err );
1164 ldap_memfree( lat );
1166 Debug( LDAP_DEBUG_ANY, "log_back_initialize: "
1167 "at_add failed on %d: %s\n",
1168 i, scherr2str(code), 0 );
1171 if ( slap_bv2ad( &at->sat_cname, lattrs[i].ad, &err )) {
1172 Debug( LDAP_DEBUG_ANY, "accesslog_init: "
1173 "slap_bv2ad failed on %d: %s\n",
1178 for ( i=0; locs[i].ot; i++ ) {
1179 LDAPObjectClass *loc;
1184 loc = ldap_str2objectclass( locs[i].ot, &code, &err,
1185 LDAP_SCHEMA_ALLOW_ALL );
1187 Debug( LDAP_DEBUG_ANY, "accesslog_init: "
1188 "ldap_str2objectclass failed on %d: %s, %s\n",
1189 i, ldap_scherr2str(code), err );
1193 code = oc_add( loc, 0, &oc, &err );
1194 ldap_memfree( loc );
1196 Debug( LDAP_DEBUG_ANY, "accesslog_init: "
1197 "oc_add failed on %d: %s\n",
1198 i, scherr2str(code), 0 );
1205 return overlay_register(&accesslog);
1208 #if SLAPD_OVER_ACCESSLOG == SLAPD_MOD_DYNAMIC
1209 int init_module( int argc, char *argv[]) {
1210 return accesslog_init();
1214 #endif /* SLAPD_OVER_ACCESSLOG */