From 192deb3b1bf9e5f359e0468809cdd81df51af4a0 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Mon, 22 Aug 2016 22:24:51 -0700
Subject: [PATCH 40/45] Ticket #48969 - nsslapd-auditfaillog always has an
explicit path
Bug Description:
In the current implementation, nsslapd-auditfaillog is not set,
by default. Internally, the value is NULL, which let audit fail
log share the same audit log file with nsslapd-auditlog.
Once, some path is set to nsslapd-auditfaillog, it is not allowed
to delete or set NULL or empty to it. That is, there is no way to
go back to the default behaviour.
There is another issue for the default value. Since search for
nsslapd-auditfaillog under cn=config does not return anything,
it is hard to find out where the failed logs are written.
Fix Description:
To solve the 2 issues, this patch changes the default value to an
explicit path /path/to/logdir/audit.
https://fedorahosted.org/389/ticket/48969
Reviewed by wibrown@redhat.com (Thank you, William!)
(cherry picked from commit ef2c3c4cc6f966935dbe367dd0d882ae81de3cc4)
---
ldap/ldif/template-dse.ldif.in | 1 +
ldap/servers/slapd/auditlog.c | 6 ++++--
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index 46b416b..8258b70 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -53,6 +53,7 @@ nsslapd-auditlog-maxlogsize: 100
nsslapd-auditlog-logrotationtime: 1
nsslapd-auditlog-logrotationtimeunit: day
nsslapd-auditlog-logging-enabled: off
+nsslapd-auditfaillog: %log_dir%/audit
nsslapd-auditfaillog-logging-enabled: off
nsslapd-rootdn: %rootdn%
nsslapd-rootpw: %ds_passwd%
diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
index ec7111b..85d136c 100644
--- a/ldap/servers/slapd/auditlog.c
+++ b/ldap/servers/slapd/auditlog.c
@@ -112,6 +112,7 @@ write_auditfail_log_entry( Slapi_PBlock *pb )
Operation *op;
int pbrc = 0;
char *auditfail_config = NULL;
+ char *audit_config = NULL;
/* if the audit log is not enabled, just skip all of
this stuff */
@@ -167,8 +168,9 @@ write_auditfail_log_entry( Slapi_PBlock *pb )
/* log the raw, unnormalized DN */
dn = slapi_sdn_get_udn(sdn);
auditfail_config = config_get_auditfaillog();
- if (auditfail_config == NULL || strlen(auditfail_config) == 0) {
- /* If no auditfail log write to audit log */
+ audit_config = config_get_auditlog();
+ if (auditfail_config == NULL || strlen(auditfail_config) == 0 || PL_strcasecmp(auditfail_config, audit_config) == 0) {
+ /* If no auditfail log or "auditfaillog" == "auditlog", write to audit log */
write_audit_file(SLAPD_AUDIT_LOG, operation_get_type(op), dn, change, flag, curtime, pbrc, SLAPD_AUDITFAIL_LOG);
} else {
/* If we have our own auditfail log path */
--
2.4.11