sous-chefs · djentangle · Jul 29, 2024 · Jul 29, 2024 · Jul 29, 2024 · Jul 30, 2024
@@ -37,6 +37,7 @@ jobs:
           - "tls-enabled"
           - "type-provider"
           - "type-consumer"
+          - "accesslog"
       fail-fast: false
 
     steps:

@@ -7,6 +7,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+Accesslog Database and Overlay configuration.
+
+- added accesslog database and overlay stanza into slapd.conf.erb template.
+
+Added additional attributes.
+
+- `default['openldap']['accesslog']['enabled']` to enable additional accesslog configuration.
+- `default['openldap']['accesslog']['logdb']` specifies the suffix of the database.
+- `default['openldap']['accesslog']['directory']` specifes the directory to store the accesslog database.
+- `default['openldap']['accesslog']['index']` specifies the database index.
+- `default['openldap']['accesslog']['logops']` specifies which type of operations to log.
+- `default['openldap']['accesslog']['logbase']` specifies a set of operations that will only be logged if they occur under a specific subtree of the database.
+- `default['openldap']['accesslog']['logold']` specifies a filter for matching against Deleted and Modified entries.
+- `default['openldap']['accesslog']['logoldattr']` specify a list of attributes whose old contents are always logged in Modify and ModRDN requests that match any of the filters configured in logold.
+- `default['openldap']['accesslog']['logpurge']` specify the maximum age for log entries to be retained in the database
+- `default['openldap']['accesslog']['logsuccess']` if set to TRUE then log records will only be generated for successful requests.
+
 ## 6.1.4 - *2024-07-15*
 
 Standardise files with files in sous-chefs/repo-management

@@ -100,6 +100,25 @@ pair in the `openldap['syncrepl_*_config]` (See the OpenLDAP Adminstrator Guide)
 - `openldap['syncrepl_consumer_config']['starttls']` - `yes | no (default)`
 - `openldap['syncrepl_consumer_config']['credentials']` - defaults to `openldap['slapd_replpw']`
 
+### Accesslog
+
+Enabling Accesslog will require to include the accesslog.la module.
+
+- add `node.default['openldap']['modules'] << 'accesslog'
+
+Attributes related to Accesslog database and overlay configuration.
+
+`openldap['accesslog']['enabled']` - add accesslog configuration true | false (default)
+`openldap['accesslog']['logdb']` -  defaults to `"cn=accesslog"`
+`openldap['accesslog']['directory']` - defaults to `'/var/log/'`
+`openldap['accesslog']['index']` - defaults to `'reqStart,reqEnd,reqResult eq'`
+`openldap['accesslog']['logops']` - defaults to `'writes'`
+`openldap['accesslog']['logbase']` - not set by default
+`openldap['accesslog']['logold']` - defaults to '(objectclass=*)'
+`openldap['accesslog']['logoldattr']` - defaults to nil
+`openldap['accesslog']['logpurge']` - defaults to '8+00:00 1+00:00' purges after 8 and checks daily.
+`openldap['accesslog']['logsuccess']` - defaults to false
+
 ## Recipes
 
 ### default

@@ -101,3 +101,15 @@
 
 # The maximum number of entries that is returned for a search operation
 default['openldap']['server_config_hash']['sizelimit'] = 500
+
+# accesslog db and overlay parameters
+default['openldap']['accesslog']['enabled'] = false
+default['openldap']['accesslog']['logdb'] = '"cn=accesslog"'
+default['openldap']['accesslog']['directory'] = '/var/lib/ldap/accesslog'
+default['openldap']['accesslog']['index'] = 'reqStart,reqEnd,reqResult eq'
+default['openldap']['accesslog']['logops'] = 'writes'
+default['openldap']['accesslog']['logbase'] = nil
+default['openldap']['accesslog']['logold'] = '(objectclass=*)'
+default['openldap']['accesslog']['logoldattr'] = nil
+default['openldap']['accesslog']['logpurge'] = '8+00:00 1+00:00'
+default['openldap']['accesslog']['logsuccess'] = false
@@ -58,3 +58,10 @@ suites:
       inspec_tests:
         - name: openldap-default
           path: test/integration/default
+  - name: accesslog
+    run_list:
+      - recipe[openldap-test::accesslog]
+    verifier:
+      inspec_tests:
+        - name: openldap-accesslog
+          path: test/integration/accesslog
@@ -55,6 +55,14 @@ backend		<%= node['openldap']['database'] %>
 #####
 # Database
 #####
+<% if node['openldap']['accesslog']['enabled'] == true -%>
+# accesslog configuration
+database       <%= node['openldap']['database'] %>
+suffix         "<%= node['openldap']['accesslog']['logdb'] %>"
+directory      <%= node['openldap']['accesslog']['directory'] %>
+index          <%= node['openldap']['accesslog']['index'] %>
+<% end -%>
+
 database        <%= node['openldap']['database'] %>
 suffix          "<%= node['openldap']['basedn'] %>"
 rootdn          "cn=<%= node['openldap']['cn'] %>,<%= node['openldap']['basedn'] %>"
@@ -137,3 +145,27 @@ access to *
         by dn="<%= node['openldap']['syncrepl_cn'] %>,<%= node['openldap']['basedn'] %>" read
 <% end -%>
         by * read
+
+<% if node['openldap']['accesslog']['enabled'] == true -%>
+# enable the accesslog overlay so that we can audit LDAP updates
+overlay accesslog
+logdb "<%= node['openldap']['accesslog']['logdb'] %>" 
+# log add, delete, modify, modrdn operations
+logops <%= node['openldap']['accesslog']['logops'] %>
+# logbase <operations> <baseDN> are delimited by a | character
+<% if node['openldap']['accesslog']['logbase'] -%>
+logbase <%= node['openldap']['accesslog']['logbase'] %>
+<% end -%>
+# log the entry's previous info if it's being deleted or modified
+logold <%= node['openldap']['accesslog']['logold'] %>
+# logoldattr <attr> 
+<% if node['openldap']['accesslog']['logoldattr'] -%>
+logoldattr <%= node['openldap']['accesslog']['logoldattr'] %>
+<% end -%>
+# purge entries after 8 days; check daily for old entries (8+00:00 1+00:00)
+logpurge <%= node['openldap']['accesslog']['logpurge'] %>
+<% if node['openldap']['accesslog']['logsuccess'] -%>
+# logsuccess TRUE | FALSE (default false)
+logsuccess <%= node['openldap']['accesslog']['logsuccess'] %>
+<% end -%>
+<% end -%>
@@ -0,0 +1,30 @@
+node.default['openldap']['accesslog']['enabled'] = true
+node.default['openldap']['accesslog']['logdb'] = '"cn=accesslog"'
+node.default['openldap']['accesslog']['directory'] = '/var/lib/ldap/accesslog'
+node.default['openldap']['accesslog']['index'] = 'reqStart,reqEnd,reqResult eq'
+node.default['openldap']['accesslog']['logops'] = 'writes'
+node.default['openldap']['accesslog']['logold'] = '(objectclass=*)'
+node.default['openldap']['accesslog']['logpurge'] = '8+00:00 1+00:00'
+
+node.default['openldap']['modules'] << 'accesslog'
+
+user 'openldap' do
+  action :create
+end
+
+group 'openldap' do
+  action :create
+end
+
+directories = ['/var/lib/ldap', '/var/lib/ldap/accesslog']
+
+directories.each do |dir|
+  directory dir do
+    mode '0755'
+    owner 'openldap'
+    group 'openldap'
+    action :create
+  end
+end
+
+include_recipe 'openldap::default'
@@ -0,0 +1,21 @@
+ldap_dir =
+  case os.family
+  when 'debian'
+    '/etc/ldap'
+  when 'redhat', 'amazon', 'fedora', 'suse'
+    '/etc/openldap'
+  when 'bsd'
+    '/usr/local/etc/openldap'
+  end
+
+control 'accesslog' do
+  describe file "#{ldap_dir}/slapd.conf" do
+    its('content') { should match /# accesslog configuration/ }
+    its('content') { should match /overlay accesslog/ }
+  end
+
+  describe service('slapd') do
+    it { should be_installed }
+    it { should be_running }
+  end
+end
@@ -0,0 +1,6 @@
+---
+name: openldap-accesslog
+title: Openldap accesslog tests
+supports:
+  - os-family: linux
+  - os-family: bsd