From: Howard Chu Date: Fri, 10 Jun 2005 11:41:57 +0000 (+0000) Subject: More accesslog updates X-Git-Tag: OPENLDAP_AC_BP~554 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=cd15432de662ab70d6a9b54448b854c25141248e;p=openldap More accesslog updates --- diff --git a/doc/man/man5/slapo-accesslog.5 b/doc/man/man5/slapo-accesslog.5 new file mode 100644 index 0000000000..4d195152a8 --- /dev/null +++ b/doc/man/man5/slapo-accesslog.5 @@ -0,0 +1,385 @@ +.TH SLAPO-ACCESSLOG 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2005 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapo-accesslog \- Access Logging overlay +.SH SYNOPSIS +ETCDIR/slapd.conf +.SH DESCRIPTION +The Access Logging overlay can be used to record all accesses to a given +backend database on another database. This allows all of the activity on +a given database to be reviewed using arbitrary LDAP queries, instead of +just logging to local flat text files. Configuration options are available +for selecting a subset of operation types to log, and to automatically +prune older log records from the logging database. Log records are stored +with a custom schema to assure their readability whether viewed as LDIF +or in raw form. +.SH CONFIGURATION +These +.B slapd.conf +options apply to the Access Logging overlay. +They should appear after the +.B overlay +directive and before any subsequent +.B database +directive. +.TP +.B logdb +Specify the suffix of a database to be used for storing the log records. +The specified database must have already been configured in a prior section +of the config file. The suffix entry of the database must also already +exist. The log entries will be generated as the immediate children of the +suffix entry. +.TP +.B logops +Specify which types of operations to log. The valid operation types are +abandon, add, bind, compare, delete, extended, modify, modrdn, search, +and unbind. Aliases for common sets of operations are also available: +.RS +.TP +.B writes +add, delete, modify, modrdn +.TP +.B reads +compare, search +.TP +.B session +abandon, bind, unbind +.TP +.B all +all operations +.RE +.TP +.B logpurge +Specify the maximum age for log entries to be retained in the database, +and how often to scan the database for old entries. Both the +.B age +and +.B interval +are specified as a time span in days, hours, minutes, and seconds. The +time format is [dd+]hh:mm[:ss] i.e., the days and seconds components are +optional but hours and minutes are required. Each numeric field must be +exactly two digits. For example +.RS +.RS +.PD 0 +.TP +logpurge 02+00:00 01+00:00 +.RE +.PD +would specify that the log database should be scanned every day for old +entries, and entries older than two days should be deleted. When using a +log database that supports ordered indexing on generalizedTime attributes, +specifying an eq index on the +.B reqStart +attribute will greatly benefit the performance of the purge operation. + +.SH EXAMPLES +.LP +.nf + database bdb + suffix cn=log + \... + index reqStart eq + + database bdb + suffix dc=example,dc=com + \... + overlay accesslog + logdb cn=log + logops writes reads +.fi + +.SH OBJECT CLASSES +The +.B accesslog +overlay defines a number of object classes for use in the logs. There is +a basic +.B auditObject +class from which two additional classes, +.B auditReadObject +and +.B auditWriteObject +are derived. Object classes for each type of LDAP operation are further +derived from these classes. This object class hierarchy is designed to +allow flexible yet efficient searches of the log based on either a specific +operation type's class, or on more general classifications. The definition +of the +.B auditObject +class is as follows: +.LP +.RS 4 +( 1.3.6.1.4.1.4203.666.11.5.2.1 + NAME 'auditObject' + DESC 'OpenLDAP request auditing' + SUP top STRUCTURAL + MUST ( reqStart $ reqType $ reqSession ) + MAY ( reqDN $ reqAuthzID $ reqControls $ reqRespControls $ + reqEnd $ reqResult $ reqMessage ) ) +.RE +.P +Note that all of the OIDs used in the logging schema currently reside +under the OpenLDAP Experimental branch. It is anticipated that thay +will migrate to a Standard branch in the future. + +An overview of the attributes follows: +.B reqStart +and +.B reqEnd +provide the start and end time of the operation, respectively. They use +generalizedTime syntax. The +.B reqStart +attribute is also used as the RDN for each log entry. + +The +.B reqType +attribute is a simple string containing the type of operation +being logged, e.g. +.BR add , +.BR delete , +.BR search , +etc. For extended operations, the type also includes the OID of the +extended operation, e.g. +.B extended(1.2.3.4.1) + +The +.B reqSession +attribute is an implementation-specific identifier that is common to +all the operations associated with the same LDAP session. Currently this +is slapd's internal connection ID, stored in decimal. + +The +.B reqDN +attribute is the distinguishedName of the target of the operation. E.g., for +a Bind request, this is the Bind DN. For an Add request, this is the DN +of the entry being added. For a Search request, this is the base DN of +the search. + +The +.B reqAuthzID +attribute is the distinguishedName of the user that performed the operation. +This will usually be the same name as was established at the start of a +session by a Bind request (if any) but may be altered in various +circumstances. + +The +.BR reqControls and +.B reqRespControls +attributes carry any controls sent by the client on the request and returned +by the server in the response, respectively. The attribute values are just +uninterpreted octet strings. + +The +.B reqResult +attribute is the numeric LDAP result code of the operation, indicating +either success or a particular LDAP error code. An error code may be +accompanied by a text error message which will be recorded in the +.B reqMessage +attribute. + +Operation-specific classes are defined with additional attributes to carry +all of the relevant parameters associated with the operation: + +.LP +.RS 4 +( 1.3.6.1.4.1.4203.666.11.5.2.4 + NAME 'auditAbandon' + DESC 'Abandon operation' + SUP auditObject STRUCTURAL + MUST reqId ) +.RE +.P +For the +.B Abandon +operation the +.B reqId +attribute contains the message ID of the request that was abandoned. + +.LP +.RS 4 +( 1.3.6.1.4.1.4203.666.11.5.2.5 + NAME 'auditAdd' + DESC 'Add operation' + SUP auditWriteObject STRUCTURAL + MUST reqMod ) +.RE +.P +The +.B Add +class inherits from the +.B auditWriteObject +class. The Add and Modify classes are essentially the same. The +.B reqMod +attribute carries all of the attributes of the original entry being added. +(Or in the case of a Modify operation, all of the modifications being +performed.) The values are formatted as +.RS +.RS +.PD 0 +.TP +attribute:<+|-|=|#> [ value] +.RE +.PD +Where '+' indicates an Add of a value, '-' for Delete, '=' for Replace, +and '#' for Increment. In an Add operation, all of the reqMod values will +have the '+' designator. +.RE +.P + +.LP +.RS 4 +( 1.3.6.1.4.1.4203.666.11.5.2.6 + NAME 'auditBind' + DESC 'Bind operation' + SUP auditObject STRUCTURAL + MUST reqMethod ) +.RE +.P +The +.B Bind +class just adds the +.B reqMethod +attribute which contains the Bind Method used in the Bind. This will be +the string +.B SIMPLE +for LDAP Simple Binds or +.B SASL() +for SASL Binds. +Note that unless configured as a global overlay, only Simple Binds using +DNs that reside in the current database will be logged. + +.LP +.RS 4 +( 1.3.6.1.4.1.4203.666.11.5.2.7 + NAME 'auditCompare' + DESC 'Compare operation' + SUP auditObject STRUCTURAL + MUST reqAssertion ) +.RE +.P +For the +.B Compare +operation the +.B reqAssertion +attribute carries the Attribute Value Assertion used in the compare request. + +.LP +.RS 4 +( 1.3.6.1.4.1.4203.666.11.5.2.8 + NAME 'auditModify' + DESC 'Modify operation' + SUP auditWriteObject STRUCTURAL + MUST reqMod ) +.RE +.P +The +.B Modify +operation has already been described. + +.LP +.RS 4 +( 1.3.6.1.4.1.4203.666.11.5.2.9 + NAME 'auditModRDN' + DESC 'ModRDN operation' + SUP auditWriteObject STRUCTURAL + MUST ( reqNewRDN $ reqDeleteOldRDN ) + MAY reqNewSuperior ) +.RE +.P +The +.B ModRDN +class uses the +.B reqNewRDN +attribute to carry the new RDN of the request. +The +.B reqDeleteOldRDN +attribute is a Boolean value showing +.B TRUE +if the old RDN was deleted from the entry, or +.B FALSE +if the old RDN was preserved. +The +.B reqNewSuperior +attribute carries the DN of the new parent entry if the request specified +the new parent. + +.LP +.RS 4 +( 1.3.6.1.4.1.4203.666.11.5.2.10 + NAME 'auditSearch' + DESC 'Search operation' + SUP auditReadObject STRUCTURAL + MUST ( reqScope $ reqAttrsOnly ) + MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $ + reqTimeLimit ) ) +.RE +.P +For the +.B Search +class the +.B reqScope +attribute contains the scope of the original search request, i.e. +.BR base , +.BR onelevel , +.BR subtree , +or +.BR subordinate . +The +.B reqAttrsOnly +attribute is a Boolean value showing +.B TRUE +if only attribute names were requested, or +.B FALSE +if attributes and their values were requested. +The +.B reqFilter +attribute carries the filter used in the search request. +The +.B reqAttr +attribute lists the requested attributes if specific attributes were +requested. +The +.B reqEntries +attribute is the integer count of how many entries were returned by +this search request. +The +.B reqSizeLimit +and +.B reqTimeLimit +attributes indicate what limits were requested on the search operation. + +.LP +.RS 4 +( 1.3.6.1.4.1.4203.666.11.5.2.11 + NAME 'auditExtended' + DESC 'Extended operation' + SUP auditObject STRUCTURAL + MAY reqData ) +.RE +.P +The +.B Extended +class represents an LDAP Extended Operation. As noted above, the actual OID of +the operation is included in the +.B reqType +attribute of the parent class. If any optional data was provided with the +request, it will be contained in the +.B reqData +attribute as an uninterpreted octet string. + +.SH NOTES +The Access Log implemented by this overlay may be used for a variety of +other tasks, e.g. as a ChangeLog for a replication mechanism, as well +as for security/audit logging purposes. + +.SH FILES +.TP +ETCDIR/slapd.conf +default slapd configuration file +.SH SEE ALSO +.BR slapd.conf (5). + +.SH ACKNOWLEDGEMENTS +.P +This module was written in 2005 by Howard Chu of Symas Corporation. diff --git a/servers/slapd/attr.c b/servers/slapd/attr.c index 63973e03cf..7042d18c2b 100644 --- a/servers/slapd/attr.c +++ b/servers/slapd/attr.c @@ -40,6 +40,23 @@ #include "slap.h" +Attribute * +attr_alloc( AttributeDescription *ad ) +{ + Attribute *a = ch_malloc( sizeof(Attribute) ); + + a->a_desc = ad; + a->a_next = NULL; + a->a_flags = 0; + a->a_vals = NULL; + a->a_nvals = NULL; +#ifdef LDAP_COMP_MATCH + a->a_comp_data = NULL; +#endif + + return a; +} + void attr_free( Attribute *a ) { @@ -91,7 +108,7 @@ attr_dup( Attribute *a ) if ( a == NULL) return NULL; - tmp = ch_malloc( sizeof(Attribute) ); + tmp = attr_alloc( a->a_desc ); if ( a->a_vals != NULL ) { int i; @@ -128,14 +145,6 @@ attr_dup( Attribute *a ) tmp->a_vals = NULL; tmp->a_nvals = NULL; } - - tmp->a_desc = a->a_desc; - tmp->a_next = NULL; - tmp->a_flags = 0; -#ifdef LDAP_COMP_MATCH - tmp->a_comp_data = NULL; -#endif - return tmp; } @@ -159,7 +168,6 @@ attrs_dup( Attribute *a ) } - /* * attr_merge - merge the given type and value with the list of * attributes in attrs. @@ -189,15 +197,7 @@ attr_merge( } if ( *a == NULL ) { - *a = (Attribute *) ch_malloc( sizeof(Attribute) ); - (*a)->a_desc = desc; - (*a)->a_vals = NULL; - (*a)->a_nvals = NULL; - (*a)->a_next = NULL; - (*a)->a_flags = 0; -#ifdef LDAP_COMP_MATCH - (*a)->a_comp_data = NULL; -#endif + *a = attr_alloc( desc ); } else { /* * FIXME: if the attribute already exists, the presence @@ -280,15 +280,7 @@ attr_merge_one( } if ( *a == NULL ) { - *a = (Attribute *) ch_malloc( sizeof(Attribute) ); - (*a)->a_desc = desc; - (*a)->a_vals = NULL; - (*a)->a_nvals = NULL; - (*a)->a_next = NULL; - (*a)->a_flags = 0; -#ifdef LDAP_COMP_MATCH - (*a)->a_comp_data = NULL; -#endif + *a = attr_alloc( desc ); } rc = value_add_one( &(*a)->a_vals, val ); diff --git a/servers/slapd/overlays/accesslog.c b/servers/slapd/overlays/accesslog.c index a674c72c3f..b3da2a206d 100644 --- a/servers/slapd/overlays/accesslog.c +++ b/servers/slapd/overlays/accesslog.c @@ -293,7 +293,7 @@ static struct { "SUP auditObject STRUCTURAL )", &log_ocs[LOG_EN_DELETE] }, { "( " LOG_SCHEMA_OC ".4 NAME 'auditAbandon' " "DESC 'Abandon operation' " - "SUP auditReadObject STRUCTURAL " + "SUP auditObject STRUCTURAL " "MUST reqId )", &log_ocs[LOG_EN_ABANDON] }, { "( " LOG_SCHEMA_OC ".5 NAME 'auditAdd' " "DESC 'Add operation' " @@ -301,14 +301,14 @@ static struct { "MUST reqMod )", &log_ocs[LOG_EN_ADD] }, { "( " LOG_SCHEMA_OC ".6 NAME 'auditBind' " "DESC 'Bind operation' " - "SUP auditReadObject STRUCTURAL " + "SUP auditObject STRUCTURAL " "MUST reqMethod )", &log_ocs[LOG_EN_BIND] }, { "( " LOG_SCHEMA_OC ".7 NAME 'auditCompare' " "DESC 'Compare operation' " "SUP auditReadObject STRUCTURAL " "MUST reqAssertion )", &log_ocs[LOG_EN_COMPARE] }, { "( " LOG_SCHEMA_OC ".8 NAME 'auditModify' " - "DESC 'Add or Modify operation' " + "DESC 'Modify operation' " "SUP auditWriteObject STRUCTURAL " "MUST reqMod )", &log_ocs[LOG_EN_MODIFY] }, { "( " LOG_SCHEMA_OC ".9 NAME 'auditModRDN' " @@ -324,7 +324,7 @@ static struct { "reqTimeLimit ) )", &log_ocs[LOG_EN_SEARCH] }, { "( " LOG_SCHEMA_OC ".11 NAME 'auditExtended' " "DESC 'Extended operation' " - "SUP auditReadObject STRUCTURAL " + "SUP auditObject STRUCTURAL " "MAY reqData )", &log_ocs[LOG_EN_EXTENDED] }, { NULL, NULL } }; diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index cb453fe715..cedd69cef6 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -207,6 +207,7 @@ LDAP_SLAPD_F (Attribute *) attr_dup LDAP_P(( Attribute *a )); #define attr_mergeit( e, d, v ) attr_merge( e, d, v, NULL /* FIXME */ ) #define attr_mergeit_one( e, d, v ) attr_merge_one( e, d, v, NULL /* FIXME */ ) +LDAP_SLAPD_F (Attribute *) attr_alloc LDAP_P(( AttributeDescription *ad )); LDAP_SLAPD_F (int) attr_merge LDAP_P(( Entry *e, AttributeDescription *desc, BerVarray vals,