Change and Access Logs
Challenge
For security professionals and administrators alike, keeping on top of who is accessing data within your identity infrastructure, and the changes that they are making to that data, is paramount to healthy and safe control over operations. Furthermore, tracking changes to data within a directory is important if you intend to explore synchronization.
With this in mind, it is perfectly natural to seek out tools that track and log access attempts and changes to your directory data.
Change and Access Logs
Symlabs Virtual Directory Server and LDAP Proxy are both bundled with logging plugins that are perfect for this sort of task. Depending on the type of information that you are interested in, you could choose to either make use of the Change Log plugin, or the Access Log plugin. Or both at the same time.
The Changelog plugin is used for logging requests and responses as they pass through the proxy engine. This plugin can be used to help with the design and build of synchronization features, as it logs every successful write operation processed by the script.
The logging format was created so that it could be directly processed by any system that provides command-line LDAP tools. In this way, the output from the Changelog plugin can be used to reproduce all of the operations to the data source that you may want to synchronize.
An example of the output from this plugin, for a modify operation would be:
dn: uid=JSmith,ou=marketing,dc=growingcorp,dc=org
changetype: modify
replace: telephoneNumber
telephoneNumber: 555435483
As you can see, the LDIF style output is perfectly suited for synchronization purposes and to help rollback changes in a disaster recover scenario. A scheduled task could regularly copy this log file to an appropriate server at any time and play through the change events to update the mirror server.