LDAP Proxy allows you to audit the activities on the proxy and back-end directory servers. For example, you can track session details, LDAP policies, and back-end activities. Proxy supports the traditional method of auditing as well as the XDAS-standards based auditing.
The <proxy-paths> node is an optional node that defines the location of certain mandatory directories that are installed during proxy installation.
By default, the <proxy-paths> node is defined in the nlpconf.xml file as follows:
<proxy-paths> <dir-config> /etc/opt/novell/ldapproxy/conf</dir-config> <dir-log> /var/opt/novell/ldapproxy/log</dir-log> </proxy-paths>
The following elements and parameters are used to configure proxy paths:
<dir-config>: The location of the conf directory. In the sample configuration, the location specified is /etc/opt/novell/ldapproxy/conf.
<dir-log>: The location of the log file. In the sample configuration, the location specified is /var/opt/novell/ldapproxy/log.
Though LDAP Proxy supports both traditional as well as the XDAS standards-based auditing, NetIQ recommends that you use XDAS auditing.
XDAS auditing supports auditing through Syslog appender and file appender. Syslog appender supports event logging over UDP, TCP and SSL protocols. File appender supports event logging through rolling files.
The following is a sample configuration of XDAS events:
<!--XDAS configuration!--> <proxy-xdas-config> <xdas-event>AUTHENTICATE_SESSION</xdas-event> <xdas-event>UNAUTHENTICATE_SESSION</xdas-event> <xdas-event>MODIFY_ACCOUNT</xdas-event> </proxy-xdas-config>
The following table lists how traditional LDAP Proxy events are mapped to XDAS events.
Table 2-1 Mapping LDAP Proxy Events to XDAS Events
LDAP Events |
Proxy Event ID |
Proxy Events |
XDAS Events |
XDAS Event ID |
---|---|---|---|---|
LDAP Events |
1442817 |
The LDAP Bind requests that are received. |
AUTHENTICATE_SESSION |
0.0.11.0 |
|
1442818 |
The LDAP Bind responses that are sent. |
AUTHENTICATE_SESSION |
0.0.11.0 |
|
1442819 |
The LDAP Unbind requests that are received. |
UNAUTHENTICATE_SESSION |
0.0.11.1 |
|
1442820 |
The LDAP Search requests that are received. |
QUERY_ACCOUNT, QUERY_DATA_ITEM_ATTRIBUTE, QUERY_ROLE |
0.0.0.4, 0.0.2.2, 0.0.8.4 |
|
1442821 |
The LDAP Search Result Entry responses that are sent. |
QUERY_ACCOUNT, QUERY_DATA_ITEM_ATTRIBUTE |
0.0.0.4, 0.0.2.2 |
|
1442822 |
The LDAP Search Done responses that are sent |
QUERY_DATA_ITEM_ATTRIBUTE |
0.0.2.2 |
|
1442823 |
The LDAP Search Referral responses that are sent |
QUERY_DATA_ITEM_ATTRIBUTE |
0.0.2.2 |
|
1442824 |
The LDAP Modify requests that are received |
MODIFY_ACCOUNT, MODIFY_DATA_ITEM_ATTRIBUTE, MODIFY_ROLE |
0.0.0.5, 0.0.2.3, 0.0.8.5 |
|
1442825 |
The LDAP Modify responses that are sent |
MODIFY_ACCOUNT, MODIFY_DATA_ITEM_ATTRIBUTE, MODIFY_ROLE |
0.0.0.5, 0.0.2.3, 0.0.8.5 |
|
1442826 |
The LDAP Add requests that are received |
CREATE_ACCOUNT, CREATE_DATA_ITEM, CREATE_ROLE |
0.0.0.0, 0.0.2.0, 0.0.8.0 |
|
1442827 |
The LDAP Add responses that are sent. |
CREATE_ACCOUNT, CREATE_DATA_ITEM, CREATE_ROLE |
0.0.0.0, 0.0.2.0, 0.0.8.0 |
|
1442828 |
The LDAP Delete requests that are received |
DELETE_ACCOUNT, DELETE_DATA_ITEM, DELETE_ROLE |
0.0.0.1, 0.0.2.1, 0.0.8.1 |
|
1442829 |
The LDAP Delete responses that are sent |
DELETE_ACCOUNT, DELETE_DATA_ITEM, DELETE_ROLE |
0.0.0.1, 0.0.2.1, 0.0.8.1 |
|
1442830 |
The LDAP Modify DN requests that are received |
MODIFY_ACCOUNT, MODIFY_DATA_ITEM_ATTRIBUTE |
0.0.0.5, 0.0.2.3 |
|
1442831 |
The LDAP Modify DN responses that are sent |
MODIFY_ACCOUNT, MODIFY_DATA_ITEM_ATTRIBUTE |
0.0.0.5, 0.0.2.3 |
|
1442832 |
The LDAP Compare requests that are received |
QUERY_ACCOUNT, QUERY_DATA_ITEM_ATTRIBUTE, QUERY_ROLE |
0.0.0.4, 0.0.2.2, 0.0.8.4 |
|
1442833 |
The LDAP Compare responses that are sent. |
QUERY_DATA_ITEM_ATTRIBUTE |
0.0.2.2 |
|
1442834 |
The LDAP Abandon requests that are received. |
TERMINATE_DATA_ITEM_ASSOCIATION |
0.0.6.1 |
|
1442835 |
The LDAP Extended requests that are received |
QUERY_DATA_ITEM_ATTRIBUTE, QUERY_ROLE |
0.0.2.2, 0.0.8.4 |
|
1442836 |
The LDAP Extended responses that are received. |
QUERY_DATA_ITEM_ATTRIBUTE |
0.0.2.2 |
|
1442837 |
The LDAP Extended intermediate responses that are received |
QUERY_DATA_ITEM_ATTRIBUTE |
0.0.2.2 |
|
1442838 |
The LDAP Start TLS requests that are received |
QUERY_DATA_ITEM_ATTRIBUTE |
0.0.2.2 |
|
1442839 |
The LDAP Start TLS responses that are sent |
QUERY_DATA_ITEM_ATTRIBUTE |
0.0.2.2 |
|
1442840 |
The LDAP Stop TLS requests that are received |
QUERY_DATA_ITEM_ATTRIBUTE |
0.0.2.2 |
|
1442841 |
The LDAP Unknown requests that are received. |
QUERY_DATA_ITEM_ATTRIBUTE |
0.0.2.2 |
|
1442842 |
The LDAP Unknown responses that are received |
QUERY_DATA_ITEM_ATTRIBUTE |
0.0.2.2 |
Policy Events |
1443073 |
The Connections that ar rejected |
TERMINATE_SESSION |
0.0.1.1 |
|
1443074 |
The Requests that are denied |
DESTROY_ACCESS_TOKEN |
0.0.11.5 |
|
1443075 |
The Routes that are not found for incoming requests |
RESOURCE_UNAVAILABLE |
0.0.9.4 |
|
1443076 |
The Connection routes that are changed |
MODIFY_SESSION |
0.0.1.3 |
Back-end Events |
1443329 |
The back- end servers whosestatus is changed to up. |
ENABLE_SERVICE |
0.0.3.5 |
|
1443330 |
The back-end servers whose status is changed to down |
DISABLE_SERVICE |
0.0.3.4 |
|
1443331 |
The back-end servers whose status is changed to slow |
MODIFY_SERVICE_CONFIGURATION |
0.0.3.3 |
|
1443332 |
The servers in back-end group that are down |
DISABLE_SERVICE |
0.0.3.4 |
|
1443333 |
The back-end servers whose maximum connection limit has exceeded |
REMOVE_SERVICE |
0.0.3.1 |
|
1443334 |
The LDAP Proxy System request sent to the back-end server |
INVOKE_SERVICE |
0.0.4.0 |
Session Events |
1442561 |
The new sessions that are created |
CREATE_SESSION |
0.0.1.0 |
|
1442562 |
The sessions that are terminated |
TERMINATE_SESSION |
0.0.1.1 |
|
1442563 |
The sessions whose identity has been changed |
MODIFY_SESSION |
0.0.1.3 |
System Events |
1442305 |
The LDAP Proxy systems that have been initialized |
START_SYSTEM |
0.0.9.0 |
|
1442306 |
The LDAP Proxy systems that have been shut down |
SHUTDOWN_SYSTEM |
0.0.9.1 |
Event System Events |
1442049 |
The event producers and consumers that are registered or deregistered |
CONFIGURE_AUDIT_SERVICE |
0.0.10.0 |
|
1442050 |
The event producers and consumers that are registered or deregistered |
CONFIGURE_AUDIT_SERVICE |
0.0.10.0 |
To configure XDAS audit events:
Open the nlpconf.xml file from the /etc/opt/novell/ldapproxy/conf directory in any XML editor.
Create an instance similar to the sample configuration. This <proxy-xdas-config> node must be defined after the <proxy-paths> node in the configuration file.
Use the <xdas-event> element to define the XDAS audit events.
For more information about the various events that can be monitored and their IDs, refer to Table 2-5.
Save the nlpconf.xml file.
When you install LDAP Proxy, the installer lays down the xdasconfig.properties file in the /etc/opt/novell/ldapproxy/conf directory.
The following is the content of the XDASv2 property file:
# Set the level of the root logger to DEBUG and attach appenders. #log4j.rootLogger=debug, S, R
# Defines appender S to be a SyslogAppender. #log4j.appender.S=org.apache.log4j.net.SyslogAppender
# Defines location of Syslog server. #log4j.appender.S.Host=localhost #log4j.appender.S.Port=port
# Specify protocol to be used (UDP/TCP/SSL) #log4j.appender.S.Protocol=UDP
# Specify SSL certificate file for SSL connection. # File path should be given with double backslash. #log4j.appender.S.SSLCertFile=/etc/opt/novell/mycert.pem
# Minimum log-level allowed in syslog. #log4j.appender.S.Threshold=INFO
# Defines the type of facility. #log4j.appender.S.Facility=USER
# Defines caching for SyslogAppender. # Inputs should be yes/no #log4j.appender.S.CacheEnabled=no
# Cache location directory # Directory should be available for creating cache files #log4j.appender.S.CacheDir=/var/opt/novell/ldapproxy
# Cache File Size # Cache File Size should be in the range of 50MB to 4000MB #log4j.appender.S.CacheMaxFileSize=500MB
# Layout definition for appender Syslog S. #log4j.appender.S.layout=org.apache.log4j.PatternLayout #log4j.appender.S.layout.ConversionPattern=%c : %p%m%n
# Defines appender R to be a Rolling File Appender. #log4j.appender.R=org.apache.log4j.RollingFileAppender
# Log file for appender R. #log4j.appender.R.File=/var/opt/novell/ldapproxy/log/xdas-events.log
# Max size of log file for appender R. #log4j.appender.R.MaxFileSize=100MB
# Set the maximum number of backup files to keep for appender R. # Max can be 13. If set to zero, then there will be no backup files. #log4j.appender.R.MaxBackupIndex=10
# Layout definition for appender Rolling log file R. #log4j.appender.R.layout=org.apache.log4j.PatternLayout #log4j.appender.R.layout.ConversionPattern=%d{MMM dd HH:mm:ss} %c : %p%m%n
Table 2-2 XDASv2 Property File
Options |
ID |
---|---|
Syslog Appender |
S |
Rolling File Appender |
R |
The entries in the xdasconfig.properties file are not case sensitive, entries can appear in any order, empty lines are valid, and any line that starts with a hash (#) is commented out.
NOTE:If you add or delete any event in the nlpconf.xml file, restart LDAP Proxy for the changes to take effect.
The following table provides an explanation of each setting in the xdasconfig.properties file.
Table 2-3 XDAS Settings
Setting |
Description |
---|---|
log4j.rootLogger=debug, S, R |
Sets the level of the root logger to debug and attaches an appender named R or S, where S specifies a Syslog appender and R specifies a Rolling File appender. |
log4j.appender.S=org.apache.log4j.net.SyslogAppender |
Specifies the appender S to be a Syslog appender. |
log4j.appender.S.Host=localhost |
Specifies the location of the Syslog server where XDAS events are logged. For example,log4j.appender.S.Host=192.168.0.1 |
log4j.appender.S.Port=port |
The port at which the XDAS connects to the Syslog server. The port supports values from 1 to 65535. If you specify an invalid value, the port defaults to 514. If the connection between XDAS and the Syslog server fails, Identity Manager cannot log events until the connection is restored. |
log4j.appender.S.Protocol=UDP |
Specifies the protocol to use. For example, UDP, TCP, or SSL. |
log4j.appender.S.SSLCertFile=/etc/opt/novell/mycert.pem |
Specifies the SSL certificate file for the SSL connection. Use double backslashes to specify the path of the file. This is an optional setting. |
log4j.appender.S.Threshold=INFO |
Specifies the minimum log level allowed in the Syslog appender. Currently, the INFO log level is supported. |
log4j.appender.S.Facility=USER |
Specifies the type of facility. The facility is used to try to classify the message.Currently, USER facility is supported. These values may be specified as upper or lower case characters. |
log4j.appender.S.layout=org.apache.log4j.PatternLayout |
Layout setting for Syslog appender. |
log4j.appender.S.layout.ConversionPattern=%c : %p%m%n |
Layout setting for Syslog appender. For information about the conversion patters and their descriptions, see logging.apache.org. |
log4j.appender.R=org.apache.log4j.RollingFileAppender |
Specifies appender R to be a Rolling File appender |
log4j.appender.R.File=/var/opt/novell/ldapproxy/log/xdas-events.log |
The location of the log file for a Rolling File appender. |
log4j.appender.R.MaxFileSize=100MB |
The maximum size, in MBs, of the log file for a Rolling File appender. Set this value to the maximum size that the client allows. |
log4j.appender.R.MaxBackupIndex=10 |
Specify the maximum number of backup files for a Rolling File appender. The maximum number of the backup files can be 10. A zero value means no backup files. |
log4j.appender.R.layout=org.apache.log4j.PatternLayout |
Layout setting for Rolling File appender. |
log4j.appender.R.layout.ConversionPattern=%d{MMM dd HH:mm:ss} %c : %p%m%n |
Layout setting for Rolling File appender. See Table 2-4 for simple date format patterns. For information about the conversion patters and their descriptions, see logging.apache.org |
The following examples illustrate the date and time patterns interpreted in the U.S. The given date and time are 2012-07-04 12:08:56 local time in the U.S. Pacific Time time zone.
Table 2-4 Date and Time Pattern Example
Date and Time Pattern |
Result |
---|---|
"yyyy.MM.dd G 'at' HH:mm:ss z" |
2012.07.04 AD at 12:08:56 PDT |
"EEE, MMM d, ''yy" |
Wed, Jul 4, '01 |
"h:mm a" |
12:08 PM |
"hh 'o''clock' a, zzzz" |
12 o'clock PM, Pacific Daylight Time |
"K:mm a, z" |
0:08 PM, PDT |
"yyyyy.MMMMM.dd GGG hh:mm aaa" |
02012.July.24 AD 12:08 PM |
"EEE, d MMM yyyy HH:mm:ss Z" |
Wed, 24 Jul 2012 12:08:56 -0700 |
"yyMMddHHmmssZ" |
120724120856-0700 |
"yyyy-MM-dd'T'HH:mm:ss.SSSZ" |
2012-07-04T12:08:56.235-0700 |
You can use the Syslog appender, if you want centralize the auditing messages at one place. Additionally, a Syslog server offers better backup support in the event of a disaster.
To enable the Syslog appender, make the following changes in the xdasxconfig.properties file:
Change the following entry to S to attach a Syslog appender:
log4j.rootLogger=debug, S
Uncomment the following entries:
log4j.appender.S=org.apache.log4j.net.SyslogAppender
log4j.appender.S.Host=localhost
log4j.appender.S.Port=port
log4j.appender.S.Protocol=UDP
log4j.appender.S.SSLCertFile=/etc/opt/novell/mycert.pem
#log4j.appender.S.Threshold=INFO
#log4j.appender.S.Facility=USER
#log4j.appender.S.layout=org.apache.log4j.PatternLayout
#log4j.appender.S.layout.ConversionPattern=%c : %p%m%n
Restart nlpd.
The File appender is preferred, if the auditing solution is limited to an individual server. Also, it is easy to bring up this solution because the number of components to be setup are few and thus, is more suited for demonstrations.
To enable the Rolling File appender, make the following changes in the xdasxconfig.properties file:
Change the following entry to R to attach a Rolling File appender.
log4j.rootLogger=debug, R
Uncomment the following entries:
log4j.appender.R=org.apache.log4j.RollingFileAppender
log4j.appender.R.File=/var/opt/novell/ldapproxy/log/xdas-events.log
log4j.appender.R.MaxFileSize=100MB
log4j.appender.R.MaxBackupIndex=10
log4j.appender.R.layout=org.apache.log4j.PatternLayout
log4j.appender.R.layout.ConversionPattern=%d{MMM dd HH:mm:ss} %c : %p%m%n
Restart nlpd.
LDAP Proxy allows you to optionally store XDAS events locally on the agent in a Syslog Appender cache. With events cached, if the agent cannot communicate with the auditing server, the audit events generated are retained, ensuring that audit data is not lost. The agent then attempts to re-send the cached events when the agent computer can once again communicate with the auditing server.
XDAS event caching is disabled by default. To enable event caching, complete the steps below.
On the agent computer, navigate to the location of the XDASv2 property file. The xdasconfig.properties file is located at /etc/opt/novell/ldapproxy/conf/xdasconfig.properties by default.
Use a text editor to open the xdasconfig.properties file.
Within the property file, navigate to the log4j.appender.S.CacheEnabled property and change the property value to yes.
If you want to cache events in a specific directory, modify the value of the log4j.appender.S.CacheDir property to specify the directory path. The default path is /var/opt/novell/ldapproxy. If you specify a directory, ensure that the directory path is a valid location on the server. If the specified path does not exist, the Syslog Appender logs events to the default location.
If you want to specify a custom file size for the cache, modify the value of the log4j.appender.S.CacheMaxFileSize property. The default value is 100Â MB. The minimum value should be 50Â MB, with a maximum value of 4Â GB.
Save and close the xdasconfig.properties file.
Restart nlpd.
You can configure a specific set of events in traditional auditing or XDAS auditing individually and configure both these auditing systems together.
It enables you to monitor all the user activities that occur in the proxy. This helps you to track user activities including local activities such as LDAP requests, back-end server status, policy actions, configuration changes, and session details. This helps to detect and resolve potential problems before they arise, so that users are not denied access to critical services.
The proxy configuration allows you to specify the kind of events that must be audited. The following types of events can be monitored:
LDAP Events
Policy Events
Back-end Events
Session Events
System Events
Event System Events
You can configure all the events to be monitored by using the <proxy-audit-config> node in the configuration file. However, this is an optional configuration.
The following is a sample configuration for defining audit events. The events to be monitored are specified by using the <event-id> element. The sample configuration monitors events with event-ids 1442305 and 1442306, which means to monitor the LDAP Proxy systems that are initialized and shut down:
<proxy-audit-config audit-file-size-mb="512"> <event-id>1442305</event-id> <event-id>1442306</event-id> </proxy-audit-config>
To configure audit events:
Open the nlpconf.xml file from the /etc/opt/novell/ldapproxy/conf directory in any XML editor.
Create an instance similar to the sample configuration. This <proxy-audit-config> node must be defined after the <proxy-paths> node in the configuration file.
Use the <event-id> element to define the audit events.
For more information about the various events that can be monitored and their IDs, refer to Table 2-5.
(Optional) Specify the file size of the audit log file in the audit-file-size-mb attribute. The default file size is 1 GB. If you do not want to specify the file size, you can remove this element from the configuration.
Save the nlpconf.xml file.
Table 2-5 Audit Events
Category |
Event-id |
Description |
---|---|---|
LDAP Events |
1442817 |
The LDAP Bind requests that are received. |
1442818 |
The LDAP Bind responses that are sent. |
|
1442819 |
The LDAP Unbind requests that are received. |
|
|
1442820 |
The LDAP Search requests that are received. |
|
1442821 |
The LDAP Search Result Entry responses that are sent. |
1442822 |
The LDAP Search Done responses that are sent. |
|
1442823 |
The LDAP Search Referral responses that are sent. |
|
1442824 |
The LDAP Modify requests that are received |
|
1442825 |
The LDAP Modify responses that are sent. |
|
1442826 |
The LDAP Add requests that are received. |
|
1442827 |
The LDAP Add responses that are sent. |
|
1442828 |
The LDAP Delete requests that are received. |
|
1442829 |
The LDAP Delete responses that are sent. |
|
1442830 |
The LDAP Modify DN requests that are received. |
|
1442831 |
The LDAP Modify DN responses that are sent. |
|
1442832 |
The LDAP Compare requests that are received. |
|
1442833 |
The LDAP Compare responses that are sent. |
|
1442834 |
The LDAP Abandon requests that are received. |
|
1442835 |
The LDAP Extended requests that are received |
|
1442836 |
The LDAP Extended responses that are received. |
|
1442837 |
The LDAP Extended intermediate responses that are received. |
|
1442838 |
The LDAP Start TLS requests that are received. |
|
1442839 |
The LDAP Start TLS responses that are sent. |
|
1442840 |
The LDAP Stop TLS requests that are received. |
|
1442841 |
The LDAP Unknown requests that are received. |
|
1442842 |
The LDAP Unknown responses that are received. |
|
Policy Events |
1443073 |
The Connections that are rejected. |
1443074 |
The Requests that are denied. |
|
1443075 |
The Routes that are not found for incoming requests. |
|
1443076 |
The Connection routes that are changed. |
|
Back-end Events |
1443329 |
The back-end servers whose status is changed to up. |
1443330 |
The back-end servers whose status is changed to down. |
|
1443331 |
The back-end servers whose status is changed to slow. |
|
1443332 |
The servers in back-end group that are down. |
|
1443333 |
The back-end servers whose maximum connection limit has been exceeded. |
|
|
1443334 |
The LDAP Proxy System request sent to the back-end server. |
Session Events |
1442561 |
The new sessions that are created. |
|
1442562 |
The sessions that are terminated. |
1442563 |
The sessions whose identity has been changed. |
|
System Events |
1442305 |
The LDAP Proxy systems that have been initialized. |
1442306 |
The LDAP Proxy systems that have been shut down. |
|
Event System Events |
1442049 |
The event producers and consumers that are registered or deregistered. |
|
1442050 |
The event producers and consumers that register or deregister events. |