zrhoffman / rpms / 389-ds-base

Forked from rpms/389-ds-base 3 years ago
Clone

Blame SOURCES/0040-Ticket-48969-nsslapd-auditfaillog-always-has-an-expl.patch

7c7f29
From 192deb3b1bf9e5f359e0468809cdd81df51af4a0 Mon Sep 17 00:00:00 2001
7c7f29
From: Noriko Hosoi <nhosoi@redhat.com>
7c7f29
Date: Mon, 22 Aug 2016 22:24:51 -0700
7c7f29
Subject: [PATCH 40/45] Ticket #48969 - nsslapd-auditfaillog always has an
7c7f29
 explicit path
7c7f29
7c7f29
Bug Description:
7c7f29
In the current implementation, nsslapd-auditfaillog is not set,
7c7f29
by default. Internally, the value is NULL, which let audit fail
7c7f29
log share the same audit log file with nsslapd-auditlog.
7c7f29
7c7f29
Once, some path is set to nsslapd-auditfaillog, it is not allowed
7c7f29
to delete or set NULL or empty to it. That is, there is no way to
7c7f29
go back to the default behaviour.
7c7f29
7c7f29
There is another issue for the default value. Since search for
7c7f29
nsslapd-auditfaillog under cn=config does not return anything,
7c7f29
it is hard to find out where the failed logs are written.
7c7f29
7c7f29
Fix Description:
7c7f29
To solve the 2 issues, this patch changes the default value to an
7c7f29
explicit path /path/to/logdir/audit.
7c7f29
7c7f29
https://fedorahosted.org/389/ticket/48969
7c7f29
7c7f29
Reviewed by wibrown@redhat.com (Thank you, William!)
7c7f29
7c7f29
(cherry picked from commit ef2c3c4cc6f966935dbe367dd0d882ae81de3cc4)
7c7f29
---
7c7f29
 ldap/ldif/template-dse.ldif.in | 1 +
7c7f29
 ldap/servers/slapd/auditlog.c  | 6 ++++--
7c7f29
 2 files changed, 5 insertions(+), 2 deletions(-)
7c7f29
7c7f29
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
7c7f29
index 46b416b..8258b70 100644
7c7f29
--- a/ldap/ldif/template-dse.ldif.in
7c7f29
+++ b/ldap/ldif/template-dse.ldif.in
7c7f29
@@ -53,6 +53,7 @@ nsslapd-auditlog-maxlogsize: 100
7c7f29
 nsslapd-auditlog-logrotationtime: 1
7c7f29
 nsslapd-auditlog-logrotationtimeunit: day
7c7f29
 nsslapd-auditlog-logging-enabled: off
7c7f29
+nsslapd-auditfaillog: %log_dir%/audit
7c7f29
 nsslapd-auditfaillog-logging-enabled: off
7c7f29
 nsslapd-rootdn: %rootdn%
7c7f29
 nsslapd-rootpw: %ds_passwd%
7c7f29
diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
7c7f29
index ec7111b..85d136c 100644
7c7f29
--- a/ldap/servers/slapd/auditlog.c
7c7f29
+++ b/ldap/servers/slapd/auditlog.c
7c7f29
@@ -112,6 +112,7 @@ write_auditfail_log_entry( Slapi_PBlock *pb )
7c7f29
     Operation *op;
7c7f29
     int pbrc = 0;
7c7f29
     char *auditfail_config = NULL;
7c7f29
+    char *audit_config = NULL;
7c7f29
 
7c7f29
     /* if the audit log is not enabled, just skip all of
7c7f29
        this stuff */
7c7f29
@@ -167,8 +168,9 @@ write_auditfail_log_entry( Slapi_PBlock *pb )
7c7f29
     /* log the raw, unnormalized DN */
7c7f29
     dn = slapi_sdn_get_udn(sdn);
7c7f29
     auditfail_config = config_get_auditfaillog();
7c7f29
-    if (auditfail_config == NULL || strlen(auditfail_config) == 0) {
7c7f29
-        /* If no auditfail log write to audit log */
7c7f29
+    audit_config = config_get_auditlog();
7c7f29
+    if (auditfail_config == NULL || strlen(auditfail_config) == 0 || PL_strcasecmp(auditfail_config, audit_config) == 0) {
7c7f29
+        /* If no auditfail log or "auditfaillog" == "auditlog", write to audit log */
7c7f29
         write_audit_file(SLAPD_AUDIT_LOG, operation_get_type(op), dn, change, flag, curtime, pbrc, SLAPD_AUDITFAIL_LOG);
7c7f29
     } else {
7c7f29
         /* If we have our own auditfail log path */
7c7f29
-- 
7c7f29
2.4.11
7c7f29