[Freeipa-users] SOLVED: Re: Logging of Who does What on IPA Server
Rajnesh Kumar Siwal
rajnesh.siwal at gmail.com
Thu Feb 14 14:56:05 UTC 2013
Thanks, Simo.
It solves my concern,
On Thu, Feb 14, 2013 at 7:21 PM, Simo Sorce <simo at redhat.com> wrote:
> On Thu, 2013-02-14 at 12:50 +0530, Rajnesh Kumar Siwal wrote:
>> IPA is going to be very critical Server for any environment.
>> Do we have proper logging of who as locked whom, Who has created a
>> sudo policy, who has allowed access to whom etc ?
>
> You can see this information by querying LDAP directly.
>
> The 'creatorsName' attribute holds the identity of the user that created
> the object.
>
> The 'createTimestamp' attribute holds the time at which the object was
> created.
>
> The 'modifiersName' attribute holds the identity of the user that last
> modified the object.
>
> The 'modifyTimestamp' attribute holds the time at which the object was
> modified.
>
> All these attributes are operational, so you normally do not see them
> unless you explicitly ask for them during an ldap search. Some LDAP
> browsers allow you to add a list of attributes to ask for explicitly.
>
>
>
> To see these attributes for a user named foo for example you can run
> this query: "ldapsearch -Y GSSAPI uid=foo creatorsName createTimestamp
> modifiersName modifyTimestamp"
>
> add a '*' at the end if you also want to fetch regular attributes.
> This command assumes you have kerberos credentials (-Y GSSAPI tells
> ldapsearch to use them to auth to the server).
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
--
Regards,
Rajnesh Kumar Siwal
More information about the Freeipa-users
mailing list