[Freeipa-users] Logging of Who does What on IPA Server
Simo Sorce
simo at redhat.com
Thu Feb 14 13:51:17 UTC 2013
On Thu, 2013-02-14 at 12:50 +0530, Rajnesh Kumar Siwal wrote:
> IPA is going to be very critical Server for any environment.
> Do we have proper logging of who as locked whom, Who has created a
> sudo policy, who has allowed access to whom etc ?
You can see this information by querying LDAP directly.
The 'creatorsName' attribute holds the identity of the user that created
the object.
The 'createTimestamp' attribute holds the time at which the object was
created.
The 'modifiersName' attribute holds the identity of the user that last
modified the object.
The 'modifyTimestamp' attribute holds the time at which the object was
modified.
All these attributes are operational, so you normally do not see them
unless you explicitly ask for them during an ldap search. Some LDAP
browsers allow you to add a list of attributes to ask for explicitly.
To see these attributes for a user named foo for example you can run
this query: "ldapsearch -Y GSSAPI uid=foo creatorsName createTimestamp
modifiersName modifyTimestamp"
add a '*' at the end if you also want to fetch regular attributes.
This command assumes you have kerberos credentials (-Y GSSAPI tells
ldapsearch to use them to auth to the server).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list