0

I use OpenLDAP on Debian Stretch. I wanted to use the auditlog overlay module, however it does not seem to load.

  1. I added the module auditlog to my config

    # module{0}, config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}memberof
olcModuleLoad: {2}ppolicy
olcModuleLoad: {3}pw-sha2
olcModuleLoad: {4}refint
olcModuleLoad: {5}auditlog

  2. When I try to setup the overlay it throws a syntax error:

    adding new entry "olcOverlay=auditlog,olcDatabase={1}mdb,cn=config"
ldap_add: Invalid syntax (21)
    additional info: objectClass: value #3 invalid per syntax

That means that OpenLDAP does not recognize the objectClass olcAuditLogConfig which should have been added by the auditlog module. I tried using auditlog.la instead but that does not make any difference.

Any suggestions?

TylerDurden
  • 191
  • 1
  • 3
  • 14
  • I always thought it is case sensitive. Can you show all your config and the modification ldif? – rda Jun 18 '18 at 16:11
  • I updated my answer with a working solution on a fresh slapd install on Debian 9.4. If that does not work, it could have something to do with the module load order. In think the order matters sometimes, but I am not sure. The `auditlog.la` is the first module after `{0}back_mdb` in my production systems. Also try searching the subschema entry. – rda Jun 18 '18 at 19:00

1 Answers1

0

I think it should be olcAuditlogConfig. At least this is what is defined in the schema, after adding the auditlog overlay:

# cat << EOF | ldapmodify -Y EXTERNAL -H ldapi://
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: auditlog.la
EOF

and searching using the following command

# ldapsearch -QY EXTERNAL -H ldapi:// -b cn=subschema -s base + | grep -i olcauditlogconfig

which shows the schema entry for olcAuditlogConfig:

objectClasses: ( 1.3.6.1.4.1.4203.1.12.2.4.3.15.1
NAME 'olcAuditlogConfig'
DESC 'Auditlog configuration'
SUP olcOverlayConfig STRUCTURAL
MAY olcAuditlogFile )

Then create the logfile using correct permissions:

touch /var/log/auditlog.ldif
chown openldap:openldap /var/log/auditlog.ldif

And add the auditlog config:

# cat << EOF | ldapmodify -Y EXTERNAL -H ldapi://
dn: olcOverlay={0}auditlog,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditlogConfig
olcOverlay: {0}auditlog
olcAuditlogFile: /var/log/auditlog.ldif
EOF

This results in the following cn=config on a fresh install of slapd (Debian 9.4 Stretch, slapd 2.4.44+dfsg-5+deb9u1):

# slapcat -n 0 -o ldif-wrap=no
...

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}auditlog.la
structuralObjectClass: olcModuleList
...

dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
...

dn: olcOverlay={0}auditlog,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAuditlogConfig
olcOverlay: {0}auditlog
olcAuditlogFile: /var/log/auditlog.ldif
structuralObjectClass: olcAuditlogConfig
rda
  • 1,947
  • 1
  • 13
  • 22