LDAP security information server auditing
SecureWay Directory version 3.2 (and later) provides a default server audit logging function. Once enabled, this default audit plug-in logs LDAP server activities to a log file. See the LDAP documentation in Packaging Guide for LPP Installation for more information on this default audit plug-in.
The LDAP security information server auditing function that is provided with the AIX® operating system is called the LDAP security audit plug-in. It is independent of the SecureWay Directory default auditing service, so that either one or both of these auditing subsystems can be enabled. The AIX audit plug-in records only those events that update or query the AIX security information about an LDAP server. It works within the framework of AIX system auditing.
To accommodate LDAP, the following audit events are contained in the /etc/security/audit/event file:
LDAP_Bind
LDAP_Unbind
LDAP_Add
LDAP_Delete
LDAP_Modify
LDAP_Modifydn
LDAP_Search
An ldapserver
audit class definition is also created
in the /etc/security/audit/config file that contains
all of the above events.
To audit the LDAP security information server, add the following line to each user's stanza in the /etc/security/audit/config file:
ldap = ldapserver
Because the LDAP security information server audit plug-in is implemented within the frame of the AIX system auditing, it is part of the AIX system auditing subsystem. Enable or disable the LDAP security information server audit by using system audit commands, such as audit start or audit shutdown. All audit records are added to the system audit trails, which can be reviewed with the auditpr command. For more information, see Auditing overview.