|
 |
7c7f29 |
From 192deb3b1bf9e5f359e0468809cdd81df51af4a0 Mon Sep 17 00:00:00 2001
|
|
|
7c7f29 |
From: Noriko Hosoi <nhosoi@redhat.com>
|
|
|
7c7f29 |
Date: Mon, 22 Aug 2016 22:24:51 -0700
|
|
|
7c7f29 |
Subject: [PATCH 40/45] Ticket #48969 - nsslapd-auditfaillog always has an
|
|
|
7c7f29 |
explicit path
|
|
|
7c7f29 |
|
|
|
7c7f29 |
Bug Description:
|
|
|
7c7f29 |
In the current implementation, nsslapd-auditfaillog is not set,
|
|
|
7c7f29 |
by default. Internally, the value is NULL, which let audit fail
|
|
|
7c7f29 |
log share the same audit log file with nsslapd-auditlog.
|
|
|
7c7f29 |
|
|
|
7c7f29 |
Once, some path is set to nsslapd-auditfaillog, it is not allowed
|
|
|
7c7f29 |
to delete or set NULL or empty to it. That is, there is no way to
|
|
|
7c7f29 |
go back to the default behaviour.
|
|
|
7c7f29 |
|
|
|
7c7f29 |
There is another issue for the default value. Since search for
|
|
|
7c7f29 |
nsslapd-auditfaillog under cn=config does not return anything,
|
|
|
7c7f29 |
it is hard to find out where the failed logs are written.
|
|
|
7c7f29 |
|
|
|
7c7f29 |
Fix Description:
|
|
|
7c7f29 |
To solve the 2 issues, this patch changes the default value to an
|
|
|
7c7f29 |
explicit path /path/to/logdir/audit.
|
|
|
7c7f29 |
|
|
|
7c7f29 |
https://fedorahosted.org/389/ticket/48969
|
|
|
7c7f29 |
|
|
|
7c7f29 |
Reviewed by wibrown@redhat.com (Thank you, William!)
|
|
|
7c7f29 |
|
|
|
7c7f29 |
(cherry picked from commit ef2c3c4cc6f966935dbe367dd0d882ae81de3cc4)
|
|
|
7c7f29 |
---
|
|
|
7c7f29 |
ldap/ldif/template-dse.ldif.in | 1 +
|
|
|
7c7f29 |
ldap/servers/slapd/auditlog.c | 6 ++++--
|
|
|
7c7f29 |
2 files changed, 5 insertions(+), 2 deletions(-)
|
|
|
7c7f29 |
|
|
|
7c7f29 |
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
|
|
|
7c7f29 |
index 46b416b..8258b70 100644
|
|
|
7c7f29 |
--- a/ldap/ldif/template-dse.ldif.in
|
|
|
7c7f29 |
+++ b/ldap/ldif/template-dse.ldif.in
|
|
|
7c7f29 |
@@ -53,6 +53,7 @@ nsslapd-auditlog-maxlogsize: 100
|
|
|
7c7f29 |
nsslapd-auditlog-logrotationtime: 1
|
|
|
7c7f29 |
nsslapd-auditlog-logrotationtimeunit: day
|
|
|
7c7f29 |
nsslapd-auditlog-logging-enabled: off
|
|
|
7c7f29 |
+nsslapd-auditfaillog: %log_dir%/audit
|
|
|
7c7f29 |
nsslapd-auditfaillog-logging-enabled: off
|
|
|
7c7f29 |
nsslapd-rootdn: %rootdn%
|
|
|
7c7f29 |
nsslapd-rootpw: %ds_passwd%
|
|
|
7c7f29 |
diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
|
|
|
7c7f29 |
index ec7111b..85d136c 100644
|
|
|
7c7f29 |
--- a/ldap/servers/slapd/auditlog.c
|
|
|
7c7f29 |
+++ b/ldap/servers/slapd/auditlog.c
|
|
|
7c7f29 |
@@ -112,6 +112,7 @@ write_auditfail_log_entry( Slapi_PBlock *pb )
|
|
|
7c7f29 |
Operation *op;
|
|
|
7c7f29 |
int pbrc = 0;
|
|
|
7c7f29 |
char *auditfail_config = NULL;
|
|
|
7c7f29 |
+ char *audit_config = NULL;
|
|
|
7c7f29 |
|
|
|
7c7f29 |
/* if the audit log is not enabled, just skip all of
|
|
|
7c7f29 |
this stuff */
|
|
|
7c7f29 |
@@ -167,8 +168,9 @@ write_auditfail_log_entry( Slapi_PBlock *pb )
|
|
|
7c7f29 |
/* log the raw, unnormalized DN */
|
|
|
7c7f29 |
dn = slapi_sdn_get_udn(sdn);
|
|
|
7c7f29 |
auditfail_config = config_get_auditfaillog();
|
|
|
7c7f29 |
- if (auditfail_config == NULL || strlen(auditfail_config) == 0) {
|
|
|
7c7f29 |
- /* If no auditfail log write to audit log */
|
|
|
7c7f29 |
+ audit_config = config_get_auditlog();
|
|
|
7c7f29 |
+ if (auditfail_config == NULL || strlen(auditfail_config) == 0 || PL_strcasecmp(auditfail_config, audit_config) == 0) {
|
|
|
7c7f29 |
+ /* If no auditfail log or "auditfaillog" == "auditlog", write to audit log */
|
|
|
7c7f29 |
write_audit_file(SLAPD_AUDIT_LOG, operation_get_type(op), dn, change, flag, curtime, pbrc, SLAPD_AUDITFAIL_LOG);
|
|
|
7c7f29 |
} else {
|
|
|
7c7f29 |
/* If we have our own auditfail log path */
|
|
|
7c7f29 |
--
|
|
|
7c7f29 |
2.4.11
|
|
|
7c7f29 |
|