SCHEMA
The accesslog
overlay utilizes the "audit" schema described herein. This
schema is specifically designed for accesslog auditing and is not
intended to be used otherwise. It is also noted that the
schema describe here is a work
in progress, and hence subject
to change without notice. The schema is loaded automatically
by the overlay.
The schema includes a number of object classes and
associated attribute types as described below.
There is a basic auditObject class from which
two additional classes, auditReadObject and
auditWriteObject
are derived. Object classes for each type of LDAP operation
are further derived from these classes. This object class
hierarchy is designed to allow flexible yet efficient
searches of the log based on either a specific operation
type's class, or on more general classifications. The
definition of the auditObject class is as
follows:
( 1.3.6.1.4.1.4203.666.11.5.2.1 NAME 'auditObject'
DESC 'OpenLDAP request auditing' SUP top STRUCTURAL MUST
( reqStart $ reqType $ reqSession ) MAY ( reqDN $
reqAuthzID $ reqControls $ reqRespControls $ reqEnd $
reqResult $ reqMessage $ reqReferral ) )
Note that all of the OIDs used in the logging schema
currently reside under the OpenLDAP Experimental branch. It
is anticipated that they will migrate to a Standard branch in
the future.
An overview of the attributes follows: reqStart and reqEnd provide the start and
end time of the operation, respectively. They use
generalizedTime syntax. The reqStart attribute is also
used as the RDN for each log entry.
The reqType
attribute is a simple string containing the type of operation
being logged, e.g. add, delete, search, etc. For extended
operations, the type also includes the OID of the extended
operation, e.g. extended(1.1.1.1)
The reqSession
attribute is an implementation-specific identifier that is
common to all the operations associated with the same LDAP
session. Currently this is slapd's internal connection ID,
stored in decimal.
The reqDN
attribute is the distinguishedName of the target of the
operation. E.g., for a Bind request, this is the Bind DN. For
an Add request, this is the DN of the entry being added. For
a Search request, this is the base DN of the search.
The reqAuthzID
attribute is the distinguishedName of the user that performed
the operation. This will usually be the same name as was
established at the start of a session by a Bind request (if
any) but may be altered in various circumstances.
The reqControls
and reqRespControls
attributes carry any controls sent by the client on the
request and returned by the server in the response,
respectively. The attribute values are just uninterpreted
octet strings.
The reqResult
attribute is the numeric LDAP result code of the operation,
indicating either success or a particular LDAP error code. An
error code may be accompanied by a text error message which
will be recorded in the reqMessage attribute.
The reqReferral
attribute carries any referrals that were returned with the
result of the request.
Operation-specific classes are defined with additional
attributes to carry all of the relevant parameters associated
with the operation:
( 1.3.6.1.4.1.4203.666.11.5.2.4 NAME 'auditAbandon'
DESC 'Abandon operation' SUP auditObject STRUCTURAL MUST
reqId )
For the Abandon
operation the reqId
attribute contains the message ID of the request that was
abandoned.
( 1.3.6.1.4.1.4203.666.11.5.2.5 NAME 'auditAdd' DESC
'Add operation' SUP auditWriteObject STRUCTURAL MUST
reqMod )
The Add class
inherits from the auditWriteObject class. The
Add and Modify classes are very similar. The reqMod attribute carries all
of the attributes of the original entry being added. (Or in
the case of a Modify operation, all of the modifications
being performed.) The values are formatted as
- attribute:<+|-|=|#> [
value]
Where '+' indicates an Add of a value, '-' for Delete, '='
for Replace, and '#' for Increment. In an Add operation, all
of the reqMod values will have the '+' designator.
( 1.3.6.1.4.1.4203.666.11.5.2.6 NAME 'auditBind' DESC
'Bind operation' SUP auditObject STRUCTURAL MUST (
reqVersion $ reqMethod ) )
The Bind class
includes the reqVersion attribute which
contains the LDAP protocol version specified in the Bind as
well as the reqMethod attribute which
contains the Bind Method used in the Bind. This will be the
string SIMPLE for LDAP Simple
Binds or SASL(<mech>) for SASL
Binds. Note that unless configured as a global overlay, only
Simple Binds using DNs that reside in the current database
will be logged.
( 1.3.6.1.4.1.4203.666.11.5.2.7 NAME 'auditCompare'
DESC 'Compare operation' SUP auditObject STRUCTURAL MUST
reqAssertion )
For the Compare
operation the reqAssertion attribute
carries the Attribute Value Assertion used in the compare
request.
( 1.3.6.1.4.1.4203.666.11.5.2.8 NAME 'auditDelete'
DESC 'Delete operation' SUP auditWriteObject STRUCTURAL
MAY reqOld )
The Delete
operation needs no further parameters. However, the
reqOld attribute
may optionally be used to record the contents of the entry
prior to its deletion. The values are formatted as
The reqOld
attribute is only populated if the entry being deleted
matches the configured logold filter.
( 1.3.6.1.4.1.4203.666.11.5.2.9 NAME 'auditModify'
DESC 'Modify operation' SUP auditWriteObject STRUCTURAL
MAY reqOld MUST reqMod )
The Modify
operation contains a description of modifications in the
reqMod attribute,
which was already described above in the Add operation. It
may optionally contain the previous contents of any modified
attributes in the reqOld attribute, using the
same format as described above for the Delete operation. The
reqOld attribute is
only populated if the entry being modified matches the
configured logold
filter.
( 1.3.6.1.4.1.4203.666.11.5.2.10 NAME 'auditModRDN'
DESC 'ModRDN operation' SUP auditWriteObject STRUCTURAL
MUST ( reqNewRDN $ reqDeleteOldRDN ) MAY reqNewSuperior
)
The ModRDN class
uses the reqNewRDN
attribute to carry the new RDN of the request. The reqDeleteOldRDN attribute is
a Boolean value showing TRUE if
the old RDN was deleted from the entry, or FALSE if the old RDN was preserved. The
reqNewSuperior
attribute carries the DN of the new parent entry if the
request specified the new parent.
( 1.3.6.1.4.1.4203.666.11.5.2.11 NAME 'auditSearch'
DESC 'Search operation' SUP auditReadObject STRUCTURAL
MUST ( reqScope $ reqDerefAliases $ reqAttrsOnly ) MAY (
reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $
reqTimeLimit ) )
For the Search
class the reqScope
attribute contains the scope of the original search request,
using the values specified for the LDAP URL format. I.e.
base, one, sub, or subord. The reqDerefAliases attribute is
one of never,
finding, searching, or always, denoting how aliases
will be processed during the search. The reqAttrsOnly attribute is a
Boolean value showing TRUE if
only attribute names were requested, or FALSE if attributes and their values were
requested. The reqFilter attribute carries
the filter used in the search request. The reqAttr attribute lists the
requested attributes if specific attributes were requested.
The reqEntries
attribute is the integer count of how many entries were
returned by this search request. The reqSizeLimit and reqTimeLimit attributes
indicate what limits were requested on the search
operation.
( 1.3.6.1.4.1.4203.666.11.5.2.12 NAME 'auditExtended'
DESC 'Extended operation' SUP auditObject STRUCTURAL MAY
reqData )
The Extended
class represents an LDAP Extended Operation. As noted above,
the actual OID of the operation is included in the reqType attribute of the
parent class. If any optional data was provided with the
request, it will be contained in the reqData attribute as an
uninterpreted octet string.
