How-to Verify who has done a LDAP configuration change

How to Verify who has done a LDAP configuration change

Environment

You must have installed the univention-directory logger

Note! Depending on the size of the environment and occurring changes to LDAP, a corresponding amount of disk space is required in the directory /var/log/univention.

Preparation of the system

Installation of the univention-directory-logger

Open a shell on the master server and install the univention-directory-logger with the command:

univention-install univention-directory-logger

Verify changes to the LDAP configuration

Step 1: Check the logfile of the univention-directory-logger for the change

Open a shell on the master server and search the logfile(s) for the change you are looking for, f.e. password change of the user Admin-Test.

root@DC0:~# grep -H ' DN: uid=Admin-Test' /var/log/univention/directory-logger*
/var/log/univention/directory-logger.log:ID 654: DN: uid=Admin-Test,cn=users,dc=reiherwald-testumgebung02,dc=intranet
/var/log/univention/directory-logger.log:ID 661: DN: uid=Admin-Test,cn=users,dc=reiherwald-testumgebung02,dc=intranet

There where two changes logged in logfile /var/log/univention/directory-logger.log.
We will now check them closer using the returned IDs (I will show only the second one here):

root@DC0:~# grep 'ID 661' /var/log/univention/directory-logger.log 
ID 661: START
ID 661: Old Hash: 0965f5d3cc118fd9e4bc505d9b525947
ID 661: DN: uid=Admin-Test,cn=users,dc=reiherwald-testumgebung02,dc=intranet
ID 661: ID: 661
ID 661: Modifier: uid=administrator,cn=users,dc=reiherwald-testumgebung02,dc=intranet
ID 661: Timestamp: 22.10.2020 09:40:17
ID 661: Action: modify
ID 661: 
ID 661: Old values:
ID 661: sambaPasswordHistory: B7DF03E61A9722C7D21BFBF71EE066F8EC1B116D38ED133EDC91612A40D4E63C
...
ID 661: 
ID 661: New values:
...
ID 661: END

We now have the modifiers name. If you use personalized accounts in your domain, you identified the user. Sometimes you need to go further…

Step 2: Check which IP requested the change

Depending on whether a change was made via the command line (SSH) or via the UMC (web access), the timestamp (note that in univention-directory-logger this is UTC) in the log files can be used:
/var/log/auth.log or /var/log/apache2/access.log

This only applies to direct accesses. If a proxy is used, the access must be traced there.

1 Like