You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fortress@directory.apache.org by Jan Sindberg <js...@autorola.com> on 2015/11/19 13:20:31 UTC

Audit log

The fortress.properties says that this is only for OpenLDAP, while the Apache Fortress overview (webpage) also mentions ApacheDS.
We are running with ApacheDS. I guess I expected to be able to see something in Fortress Commander, but so far I haven't been able to trigger any records. I haven't tried with OpenLDAP.
Btw. Since Fortress Core uses a cache, I guess that not everything will be logged?
Best regards - Jan Sindberg

Re: Audit log

Posted by Shawn McKinney <sm...@apache.org>.

> On Dec 1, 2015, at 12:59 AM, Jan Sindberg <js...@autorola.com> wrote:
> 
> Yes, it gives me issues with schemas embedded in jars.
> 
> org.apache.directory.api.ldap.schemaextractor.UniqueResourceException: Problem locating LDIF file in schema repository
> Multiple copies of resource named 'schema/ou=schema/cn=apachedns/ou=syntaxes.ldif' located on classpath at urls
>    jar:file:/C:/Users/JSI/.m2/repository/org/apache/directory/api/api-all/1.0.0-M31/api-all-1.0.0-M31.jar!/schema/ou%3dschema/cn%3dapachedns/ou%3dsyntaxes.ldif
>    jar:file:/C:/Users/JSI/.m2/repository/org/apache/directory/api/api-ldap-schema-data/1.0.0-M26/api-ldap-schema-data-1.0.0-M26.jar!/schema/ou%3dschema/cn%3dapachedns/ou%3dsyntaxes.ldif

Jan,

So you were able to run the tests but had to change the dependencies in maven to use the M20 version?

The answer to your earlier question is yes, we’d like to get these tests running again, and could use your help.

Thanks,

Shawn

SV: Audit log

Posted by Jan Sindberg <js...@autorola.com>.

From: Shawn
> 
> We do have a junit class that uses embedded apachds -
> FortressJUnitApachedsTest.  Have you tried that?
> 
Yes, it gives me issues with schemas embedded in jars.

org.apache.directory.api.ldap.schemaextractor.UniqueResourceException: Problem locating LDIF file in schema repository
Multiple copies of resource named 'schema/ou=schema/cn=apachedns/ou=syntaxes.ldif' located on classpath at urls
    jar:file:/C:/Users/JSI/.m2/repository/org/apache/directory/api/api-all/1.0.0-M31/api-all-1.0.0-M31.jar!/schema/ou%3dschema/cn%3dapachedns/ou%3dsyntaxes.ldif
    jar:file:/C:/Users/JSI/.m2/repository/org/apache/directory/api/api-ldap-schema-data/1.0.0-M26/api-ldap-schema-data-1.0.0-M26.jar!/schema/ou%3dschema/cn%3dapachedns/ou%3dsyntaxes.ldif

Re: Audit log

Posted by Shawn McKinney <sm...@apache.org>.

> On Nov 30, 2015, at 7:04 AM, Jan Sindberg <js...@autorola.com> wrote:
> 
> You guys are the best :-)
> Does anyone need an example of testing Fortress with an embedde ApacheDS?
> I saw the examples in Fortress Core but could not get them to run. The short answer is the following dependency in a pom.xml:
>        <dependency>
>            <groupId>org.apache.directory.server</groupId>
>            <artifactId>apacheds-test-framework</artifactId>
>            <version>2.0.0-M20</version>
>            <exclusions>
>                <exclusion>
>                    <groupId>org.apache.directory.api</groupId>
>                    <artifactId>api-ldap-schema-data</artifactId>
>                </exclusion>
>            </exclusions>
>            <scope>test</scope>
>        </dependency>
> 
> The 2.0.0-M20  version seems to be better behaved than previous versions. I need a couple of days before I have time to deliver a complete code example without business specifics, if a more complete example is wanted?

Hello Jan,

We do have a junit class that uses embedded apachds - FortressJUnitApachedsTest.  Have you tried that?

Thanks,

Shawn

SV: Audit log

Posted by Jan Sindberg <js...@autorola.com>.

You guys are the best :-)
Does anyone need an example of testing Fortress with an embedde ApacheDS?
I saw the examples in Fortress Core but could not get them to run. The short answer is the following dependency in a pom.xml:
        <dependency>
            <groupId>org.apache.directory.server</groupId>
            <artifactId>apacheds-test-framework</artifactId>
            <version>2.0.0-M20</version>
            <exclusions>
                <exclusion>
                    <groupId>org.apache.directory.api</groupId>
                    <artifactId>api-ldap-schema-data</artifactId>
                </exclusion>
            </exclusions>
            <scope>test</scope>
        </dependency>

The 2.0.0-M20  version seems to be better behaved than previous versions. I need a couple of days before I have time to deliver a complete code example without business specifics, if a more complete example is wanted?

Re: Audit log

Posted by Shawn McKinney <sm...@apache.org>.

> On Nov 19, 2015, at 12:08 PM, Emmanuel Lécharny <el...@gmail.com> wrote:
> 
> The journal currently only log updates (ie, not the Binds, Searches,
> Compares). It can be imrpoved easily. Storing teh permissions is another
> story : what exactly do you want to store ?

The requirement is to track for audit all invocations into the fortress core APIs.  The apacheds journal will work well for the admin apis I think.  But we also need a way to track the policy enforcement apis also (accessMgr).  For example createSession (may do an ldapbind), and checkAccess (always performs an ldapsearch).  

The slapo access log tracks binds and mods quite well.  It has option to log ldapsearch, but as you might imagine this is too granular and is too much overhead.  So fortress core does a ‘trick’ on the checkaccess call.  After the call to ldapsearch (to pull back the permission) it calls ldapcompare which tricks the slapo access log into storing the result.  Since ldapcompare is not performed as much as ldapsearch this works ok with openldap cases.

At a minimum we need userid, timestamp, object name, object id, operation name, and result for calls into checkAccess.  We need similar capability for createSession.

Note:  For accessmgr calls using the openldap accelerator the audit is done directly from inside the slapo-rbac overlay.  This is better and more efficient and negates the need for enabling slapo-access log for binds and searches.  (another reason for using accelerator I suppose)

Shawn

Re: Audit log

Posted by Emmanuel Lécharny <el...@gmail.com>.

Le 19/11/15 16:24, Shawn McKinney a écrit :
>> On Nov 19, 2015, at 9:16 AM, Emmanuel Lécharny <el...@gmail.com> wrote:
>>
>>
>> One way to do that would be to use the Journal Interceptor. It logs
>> every update made on ApacheDS. Shawn, just let me know if that would be
>> enough ?
> Yes that would be good for updates, which gets us halfway there, also need to log the binds/permission checks.  But maybe there is another way to do that?

The journal currently only log updates (ie, not the Binds, Searches,
Compares). It can be imrpoved easily. Storing teh permissions is another
story : what exactly do you want to store ?
>

Re: Audit log

Posted by Shawn McKinney <sm...@apache.org>.

> On Nov 19, 2015, at 9:16 AM, Emmanuel Lécharny <el...@gmail.com> wrote:
> 
> 
> One way to do that would be to use the Journal Interceptor. It logs
> every update made on ApacheDS. Shawn, just let me know if that would be
> enough ?

Yes that would be good for updates, which gets us halfway there, also need to log the binds/permission checks.  But maybe there is another way to do that?

Re: Audit log

Posted by Emmanuel Lécharny <el...@gmail.com>.

Le 19/11/15 15:01, Shawn McKinney a écrit :
>> On Nov 19, 2015, at 6:20 AM, Jan Sindberg <js...@autorola.com> wrote:
>>
>> The fortress.properties says that this is only for OpenLDAP, while the Apache Fortress overview (webpage) also mentions ApacheDS.
>> We are running with ApacheDS. I guess I expected to be able to see something in Fortress Commander, but so far I haven't been able to trigger any records. I haven't tried with OpenLDAP.
>> Btw. Since Fortress Core uses a cache, I guess that not everything will be logged?
> Hello Jan,
>
> You are right, Fortress delegates all audit logging to the openldap server.  Openldap uses the slapo-access overlay and it works quite well.  There is no way to do the same thing with apacheds although it an interesting idea for future enhancement.

One way to do that would be to use the Journal Interceptor. It logs
every update made on ApacheDS. Shawn, just let me know if that would be
enough ?

Re: Audit log

Posted by Shawn McKinney <sm...@apache.org>.

> On Nov 19, 2015, at 6:20 AM, Jan Sindberg <js...@autorola.com> wrote:
> 
> The fortress.properties says that this is only for OpenLDAP, while the Apache Fortress overview (webpage) also mentions ApacheDS.
> We are running with ApacheDS. I guess I expected to be able to see something in Fortress Commander, but so far I haven't been able to trigger any records. I haven't tried with OpenLDAP.
> Btw. Since Fortress Core uses a cache, I guess that not everything will be logged?

Hello Jan,

You are right, Fortress delegates all audit logging to the openldap server.  Openldap uses the slapo-access overlay and it works quite well.  There is no way to do the same thing with apacheds although it an interesting idea for future enhancement.

If you want to try and get openldap server running to test with fortress and use the audit, we can support you here.  I need to get the fortress quickstarts renewed anyway and this will be the first of many scearios.

Best  

Shawn