LDAP security information server auditing
SecureWay Directory version 3.2 (and later) provides a default server audit logging function. Once enabled, this default audit plug-in logs LDAP server activities to a log file. See the LDAP documentation in Packaging Guide for LPP Installation for more information on this default audit plug-in.
The LDAP security information server auditing function that is provided with the AIX® operating system is called the LDAP security audit plug-in. It is independent of the SecureWay Directory default auditing service, so that either one or both of these auditing subsystems can be enabled. The AIX audit plug-in records only those events that update or query the AIX security information about an LDAP server. It works within the framework of AIX system auditing.
To accommodate LDAP, the following audit events are contained in the /etc/security/audit/event file:
LDAP_BindLDAP_UnbindLDAP_AddLDAP_DeleteLDAP_ModifyLDAP_ModifydnLDAP_Search
An ldapserver audit class definition is also created
in the /etc/security/audit/config file that contains
all of the above events.
To audit the LDAP security information server, add the following line to each user's stanza in the /etc/security/audit/config file:
ldap = ldapserverBecause the LDAP security information server audit plug-in is implemented within the frame of the AIX system auditing, it is part of the AIX system auditing subsystem. Enable or disable the LDAP security information server audit by using system audit commands, such as audit start or audit shutdown. All audit records are added to the system audit trails, which can be reviewed with the auditpr command. For more information, see Auditing overview.