How to set up and use the LDAP server for logging changes
- Update the LDAP server configuration file:
- Add the GDBM backend section, including a change log size and age limit, if you want. GDBM can
be configured to be Db2®-based or file-based.
The following example starts change logging using a Db2-based change log with a maximum size of 1000
entries. Entries are automatically deleted when they become a day
old.
database gdbm GLDBGD31/GLDBGD64 dbuserid dbu1 changeLogging on changeLogMaxEntries 1000 changeLogMaxAge 86400
- If you plan to log changes to RACF® users,
groups, user-group connections, and general resource profiles, you
must also: Add the SDBM backend section, including the suffix and, optionally, the enableResources configuration options. The enableResources configuration option is only needed when logging changes to resource profiles. Following is an example:
database sdbm GLDBSD31/GLDBSD64 suffix cn=myRacf enableResources on
Enable the PC Callable support (used by RACF to add change log entries to the LDAP server) by specifying the following option in the global section of the configuration file:listen ldap://:pc
- If you do not want to log changes to entries in a TDBM, LDBM,
or CDBM backend or to the LDAP server schema entry, add the following
option to the TDBM, LDBM, CDBM, or GDBM backend section (the GDBM
backend controls change logging for the schema entry):
changeLoggingParticipant off
- Add the GDBM backend section, including a change log size and age limit, if you want. GDBM can
be configured to be Db2®-based or file-based.
The following example starts change logging using a Db2-based change log with a maximum size of 1000
entries. Entries are automatically deleted when they become a day
old.
- If GDBM is Db2-based, create the Db2 database to be used by the change log. This involves updating and executing a SPUFI script. The database owner in the script must match the dbuserid value in the GDBM section of the configuration file. See Creating the Db2 database and table spaces for TDBM or GDBM for more information.
- If you plan to log changes to RACF users, groups, connections, and resource profiles, perform the RACF configuration required to support creation of an LDAP change log entry for RACF changes to those profiles. If you plan to retrieve RACF password or password phrase envelopes, you need to perform the RACF configuration required to support creation and retrieval of the password or password phrase envelopes. See Activating LDAP change notification for more information.
- Restart the LDAP directory server. For a Db2-based GDBM backend in 64-bit mode, this will look
similar to the following.Note: The GDBM-0002 is a backend name assigned by the LDAP server or is the name specified on the database configuration option for the GDBM backend:
database GDBM GLDBGD64 GDBM-0002 aclSourceCacheSize: 100 attrOverflowSize: 255 changeLogging: on changeLogMaxAge: 86400 changeLogMaxEntries: 1000 changeLoggingParticipant: on dbUserid: DBU1 dnToEidCacheSize: 1000 entryCacheSize: 5000 entryOwnerCacheSize: 100 filterCacheBypassLimit: 100 filterCacheSize: 5000 multiserver: off persistentSearch: off readOnly: off sizeLimit: 1000 suffix 1: CN=CHANGELOG timeLimit: 3600
For a file-based GDBM backend in 31-bit mode, this will look similar to:database GDBM GLDBGD31 GDBM-0002 changeLogging: on changeLogMaxAge: 86400 changeLogMaxEntries: 1000 changeLoggingParticipant: on commitCheckpointEntries: 10000 commitCheckpointTOD: 00:00 databaseDirectory: /var/ldap/gdbm fileTerminate: recover multiserver: off persistentSearch: off readOnly: off sizeLimit: 1000 suffix 1: CN=CHANGELOG timeLimit: 3600
If GDBM fails to start, the following message is issued:GLD1106E GDBM-0002 backend initialization failed.
- At this point, change logging is started. Depending on your configuration, a change to a RACF user, group, connection, or resource profile, or to a TDBM, LDBM, or CDBM entry, or to the LDAP server schema entry will result in the creation of a change log entry in the LDAP server.
- If you want, modify the ACL on the change log root entry,
cn=changelog
, for your usage of the change log. The initial ACL restricts update access to the change log to an LDAP root or directory data administrator. All other administrators have read access to the change log.For example, to give read access to the change log to RACF user CLREADER, create an ldif file,cl.ldif
, similar to the following:dn: cn=changelog changetype: modify add: aclentry aclentry:access-id:racfid=clreader,profiletype=user,cn=myRacf:normal:rsc: sensitive:rsc:critical:rsc:system:rsc -
You should then modify the change log ACL by issuing a modify command similar to the following:ldapmodify -h ldaphost -p ldapport -D adminDn -w adminPw -f cl.ldif
- You can search, delete, and compare change log entries using the
LDAP client interfaces and command line utilities. In particular,
all change log entries can be viewed using a search similar to the
following:
Part of the output from this search would look like:ldapsearch -h ldaphost -p ldapport -D adminDn -w adminPw -b "cn=changelog" "objectclass=*"
cn=changelog objectclass=top objectclass=container cn=changelog CHANGENUMBER=1,CN=CHANGELOG objectclass=CHANGELOGENTRY objectclass=IBM-CHANGELOG objectclass=TOP changenumber=1 targetdn=RACFID=U2,PROFILETYPE=USER,cn=myRacf changetime=20030611204814.257756Z changetype=MODIFY changes=replace: racfPassword racfPassword: *ComeAndGetIt* - ibm-changeinitiatorsname=RACFID=SUSET3,PROFILETYPE=USER,cn=myRacf
- If the changes attribute of a change log entry contains any of the following
lines:
then a password in the RACF user profile, TDBM, LDBM, or CDBM entry was changed. If the value isracfPassword: *NoEnvelope* racfPassword: *ComeAndGetIt* racfPassPhrase: *NoEnvelope* racfPassPhrase: *ComeAndGetIt* userpassword: *ComeAndGetIt* replicacredentials: *ComeAndGetIt* secretkey: *ComeAndGetIt* ibm-slapdadminpw: *ComeAndGetIt* ibm-slapdmasterpw: *ComeAndGetIt* ibm-replicakeypwd: *ComeAndGetIt*
*ComeAndGetIt*
, then you can try to retrieve the actual password value. See Passwords in change log entries for information about retrieving passwords. - The LDAP root DSE entry contains useful information about the
LDAP change log, including its suffix, and the lowest and highest
change numbers currently in use. A command similar to the following
one obtains this information:
ldapsearch -h ldaphost -p ldapport -D adminDn -w adminPw -s base -b "" "objectclass=*"
Part of the output from this search would look like:changelog=cn=changelog firstchangenumber=1 lastchangenumber=202
Note: The LDAP server occasionally skips one or more change numbers, so it cannot be assumed that there is a change log entry for every number between 1 and 202. In addition, skips are created if you delete a change log entry that does not have the lowest number. Change numbers that are generated by the LDAP server are not guaranteed to be consecutive, but will always increase.