[Freeipa-users] Logging of Who does What on IPA Server
Dmitri Pal
dpal at redhat.com
Fri Feb 15 21:08:37 UTC 2013
On 02/14/2013 08:51 AM, Simo Sorce wrote:
> On Thu, 2013-02-14 at 12:50 +0530, Rajnesh Kumar Siwal wrote:
>> IPA is going to be very critical Server for any environment.
>> Do we have proper logging of who as locked whom, Who has created a
>> sudo policy, who has allowed access to whom etc ?
> You can see this information by querying LDAP directly.
>
> The 'creatorsName' attribute holds the identity of the user that created
> the object.
>
> The 'createTimestamp' attribute holds the time at which the object was
> created.
>
> The 'modifiersName' attribute holds the identity of the user that last
> modified the object.
>
> The 'modifyTimestamp' attribute holds the time at which the object was
> modified.
>
> All these attributes are operational, so you normally do not see them
> unless you explicitly ask for them during an ldap search. Some LDAP
> browsers allow you to add a list of attributes to ask for explicitly.
>
>
>
> To see these attributes for a user named foo for example you can run
> this query: "ldapsearch -Y GSSAPI uid=foo creatorsName createTimestamp
> modifiersName modifyTimestamp"
>
> add a '*' at the end if you also want to fetch regular attributes.
> This command assumes you have kerberos credentials (-Y GSSAPI tells
> ldapsearch to use them to auth to the server).
>
> Simo.
>
I also recommend to look at Logstash as a solution to collecting and
correlating logs.
http://logstash.net/docs/1.1.9/
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list