On Thu, 2013-02-14 at 12:50 +0530, Rajnesh Kumar Siwal wrote: > IPA is going to be very critical Server for any environment. > Do we have proper logging of who as locked whom, Who has created a > sudo policy, who has allowed access to whom etc ?
You can see this information by querying LDAP directly. The 'creatorsName' attribute holds the identity of the user that created the object. The 'createTimestamp' attribute holds the time at which the object was created. The 'modifiersName' attribute holds the identity of the user that last modified the object. The 'modifyTimestamp' attribute holds the time at which the object was modified. All these attributes are operational, so you normally do not see them unless you explicitly ask for them during an ldap search. Some LDAP browsers allow you to add a list of attributes to ask for explicitly. To see these attributes for a user named foo for example you can run this query: "ldapsearch -Y GSSAPI uid=foo creatorsName createTimestamp modifiersName modifyTimestamp" add a '*' at the end if you also want to fetch regular attributes. This command assumes you have kerberos credentials (-Y GSSAPI tells ldapsearch to use them to auth to the server). Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
