On Thu, 2013-02-14 at 12:50 +0530, Rajnesh Kumar Siwal wrote:
> IPA is going to be very critical Server for any environment.
> Do we have proper logging of who as locked whom, Who has created a
> sudo policy, who has allowed access to whom etc ?

You can see this information by querying LDAP directly.

The 'creatorsName' attribute holds the identity of the user that created
the object.

The 'createTimestamp' attribute holds the time at which the object was
created.

The 'modifiersName' attribute holds the identity of the user that last
modified the object.

The 'modifyTimestamp' attribute holds the time at which the object was
modified.

All these attributes are operational, so you normally do not see them
unless you explicitly ask for them during an ldap search. Some LDAP
browsers allow you to add a list of attributes to ask for explicitly.



To see these attributes for a user named foo for example you can run
this query: "ldapsearch -Y GSSAPI uid=foo creatorsName createTimestamp
modifiersName modifyTimestamp"

add a '*' at the end if you also want to fetch regular attributes.
This command assumes you have kerberos credentials (-Y GSSAPI tells
ldapsearch to use them to auth to the server).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to