> On Feb 9, 2016, at 9:52 AM, Chris Pike <[email protected]> wrote: > > > Looks like I'm running Symas OpenLDAP 2.4.42. There are lots of audit logs > being populated in openldap, so probably not a configuration issue. I'm > trying to step through one of the tests to see why it is failing... > > AuditManagerImplTest.testSearchBinds first searches for binds for "jtsUser1" > and doesn't find any. Can you point me to where this bind audit entry should > be getting populated?
Betting it’s a config issue. Look at your fortress.properties. Here are ones that must be set: # Options are openldap or apacheds (default): ldap.server.type=openldap # Audit only works if ldap.server.type == openldap: disable.audit=false > On Feb 9, 2016, at 9:52 AM, Chris Pike <[email protected]> wrote: > > > Also, where in the fortress API are the audit logs populated? These audits are generated by OpenLDAP’s access log overlay. You can view that config inside the slapd.conf file: logops bind writes compare That directive instructs the overlay to store all ldap bind, updates and compares ops into the access log automatically. In order to get the audit for checkAccess to go we must make an extra call to server in the authZ flow to ldap compare. The first ldap call reads the permission record, the 2nd pushes the result of authZ into access log (compare). But we only want to make the 2nd call to compare if the server is OpenLDAP, and it’s not otherwise disabled. (Doing call to another directory, e.g. apachds, would be wasteful) You can view how the code works inside the permdao checkpermission method where there’s a call to addAuthZAudit method: private void addAuthZAudit( LdapConnection ld, String permDn, String userDn, String attributeValue ) throws FinderException { // Audit can be turned off here with fortress config param: 'disable.audit=true' if ( GlobalIds.IS_OPENLDAP && ! GlobalIds.IS_AUDIT_DISABLED ) { try { // The compare method uses OpenLDAP's Proxy Authorization Control to assert identity of end user onto connection: // LDAP Operation #2: Compare: compareNode( ld, permDn, userDn, new DefaultAttribute( GlobalIds.POP_NAME, attributeValue ) ); } catch ( UnsupportedEncodingException ee ) { String error = "addAuthZAudit caught UnsupportedEncodingException=" + ee.getMessage(); throw new FinderException( GlobalErrIds.PERM_COMPARE_OP_FAILED, error, ee ); } catch ( LdapException e ) { if ( !( e instanceof LdapNoSuchObjectException ) ) { String error = "addAuthZAudit caught LdapException=" + e.getMessage(); throw new FinderException( GlobalErrIds.PERM_COMPARE_OP_FAILED, error, e ); } } } } The check above, verifies that audit is enabled, before doing the ldapcompare. Shawn
