Bug 2136610
Summary: | [RFE] Add 'cn' attribute to IPA audit logs | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Corey Brown <cobrown> |
Component: | 389-ds-base | Assignee: | mreynolds |
Status: | CLOSED ERRATA | QA Contact: | LDAP QA Team <idm-ds-qe-bugs> |
Severity: | low | Docs Contact: | Evgenia Martynyuk <emartyny> |
Priority: | high | ||
Version: | 8.2 | CC: | aadhikar, bsmejkal, dchen, emartyny, fhanzelk, gkimetto, idm-ds-dev-bugs, mralph, mreynolds, rcritten, tscherf |
Target Milestone: | rc | Keywords: | FutureFeature, TestCaseProvided, Triaged |
Target Release: | 8.8 | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | sync-to-jira | ||
Fixed In Version: | 389-ds-1.4-8080020221115220516.6e2e7265 | Doc Type: | Enhancement |
Doc Text: |
.New `nsslapd-auditlog-display-attrs` configuration parameter for the Directory Server audit log
Previously, the distinguished name (DN) was the only way to identify the target entry in the audit log event. With the new `nsslapd-auditlog-display-attrs` parameter, you can configure Directory Server to display additional attributes in the audit log, providing more details about the modified entry..
For example, if you set the `nsslapd-auditlog-display-attrs` parameter to `cn`, the audit log displays the entry `cn` attribute in the output. To include all attributes of a modified entry, use an asterisk (`*`) as the parameter value.
For more information, see link:https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html-single/configuration_command_and_file_reference/index#cnconf[…]-attrs[nsslapd-auditlog-display-attrs]
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-05-16 08:33:01 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Deadline: | 2022-10-10 |
Description
Corey Brown
2022-10-20 20:55:10 UTC
Upstream ticket: https://github.com/389ds/389-ds-base/issues/5502 # PYTHONPATH=src/lib389/ py.test -v dirsrvtests/tests/suites/ds_logs/audit_log_test.py --disable-warnings re-exec with libfaketime dependencies ============================================================================ test session starts ========================================================================= platform linux -- Python 3.6.8, pytest-7.0.1, pluggy-1.0.0 -- /usr/bin/python3.6 cachedir: .pytest_cache 389-ds-base: 1.4.3.32-1.module+el8.8.0+17275+1a8f9618 nss: 3.79.0-10.el8_6 nspr: 4.34.0-3.el8_6 openldap: 2.4.46-18.el8 cyrus-sasl: not installed FIPS: disabled rootdir: /root/389-ds-base/dirsrvtests, configfile: pytest.ini plugins: libfaketime-0.1.2 collected 1 item dirsrvtests/tests/suites/ds_logs/audit_log_test.py::test_auditlog_display_attrs PASSED [100%] ============================================================================ 1 passed in 34.82s ========================================================================== Marking as verified: Tested. As per comment #c8 marking as VERIFIED. Given that RHEL 8.7 is out, will RHEL 8.8 or later carry this RFE? (In reply to Ding-Yi Chen from comment #10) > Given that RHEL 8.7 is out, will RHEL 8.8 or later carry this RFE? If you check the "target release" of this bug you will see it's set for RHEL 8.8. Bug is already verified so it is good to go. Hi @mareynol ! I have prepared RN text, could you please review it? .New configuration parameter `nsslapd-auditlog-display-attrs` for the Directory Server audit log. Previously, it was very difficult to determine who has made a change to an entry if the entry distinguished name (DN) does not contain clear identifying information. With `nsslapd-auditlog-display-attrs` parameter, you can set additional attributes that Directory Server displays in the audit log to provide more details about the entry being modified. For example, if you set `nsslapd-auditlog-display-attrs` parameter to `cn`, the audit log starts to display the entry `cn` attribute in the output: ---- time: 20221014125914 dn: uid=73747737483,ou=people,dc=example,dc=com result: 0 *#cn: John Smith* changetype: modify replace: displayName displayName: jsmith - replace: modifiersname modifiersname: cn=dm - replace: modifytimestamp modifytimestamp: 20221014165914Z ---- You can use an asterisk (`*`) as a value if you want the audit log to contain all attributes of modified entries. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2811 Doc text looks good. RN text passed peer view. Thanks Masha! RN is release pending. Hi Mark! Could you please review the updated description of the RN text in the Doc Text field. Thanks, Evgenia |