Auditing

Auditing allows you to track the details of certain Directory Server transactions.

Directory Server supports IBM® i security auditing. Auditable items include the following:

  • Binds to and unbinds from the directory server.
  • Changes to permissions of LDAP directory objects.
  • Changes in ownership of LDAP directory objects.
  • Creation of, deletion of, searches of, and changes to LDAP directory objects.
  • Changes to the password of administrator and update distinguished names (DNs).
  • Changes to the passwords of users.
  • File imports and exports.

You might need to make changes to the auditing settings before auditing of directory entries will work. If the QAUDCTL system value has *OBJAUD specified, you can enable object auditing through System i® Navigator.

Group names can be specified for auditing. Authorized clients can request that an operation be performed using the authority of groups specified by the client rather than the groups the server has associated with the client identity. This setting controls whether auditing of these requests indicates only that the client specified the groups to be used, or also includes the list of groups specified. Auditing the list of groups creates additional audit entries holding the list of groups for each request.

To specify if group names should be audited, do the following:
  1. In IBM Navigator for i, expand Network > Servers > TCP/IP Servers
  2. Right-click IBM Tivoli Directory Server for IBM i and select Properties.
  3. On the Auditing tab, check the Include group names when auditing use of caller-specified groups checkbox.