Password Hashes in Audit Log
by Trevor Fong
Hi All,
I noticed the audit logs capture all details about any change in the
directory, including password hashes when an account's password is
updated. This strikes me as a security risk and I'd like to stop password
hashes from being logged, or at least have them masked.
In reading
https://www.port389.org/docs/389ds/design/audit-log-entry-attrs-design.html
I see it might be possible to configure attributes to omit from the audit
log by setting:
cn=config
nsslapd-auditlog-display-attrs: [ATTR ATTR ATTR] | *
My reading of that is that you need to either allow all ("*"), or enumerate
each and every attribute you want in the audit log; you can't say "all,
except userPassword". Would that be correct? The problem with this is
that every time we update the schema to add a new attribute type, we'll
need to remember to update this list on every machine we capture audit logs
on.
Is there perhaps some other way that I may have missed in my research?
Thanks everyone,
Trevor
1 day, 10 hours
Automatically delete "linked" objects
by Julian Kippels
Hi,
I am looking for a way to automatically delete certain objects when I
delete a user object. For example:
* I have a user uid=user1,ou=users,dc=test,dc=tld
* I have a role cn=xyz,ou=roles,dc=test,dc=tld
* This role has the following atribute:
roleOccupant: uid=user1,ou=users,dc=test,dc=tld
I would like to delete the cn=xyz-object automatically when the
uid=user1-object is deleted. Is there a way to do this server side, or
do I have to implement it client side?
Thanks
Julian
5 days, 16 hours