Getting started with the enhanced XDAS features found in eDirectory 88 SP7 Patch 3

  • 7012483
  • 24-May-2013
  • 25-Jul-2017

Environment

NetIQ eDirectory
NetIQ iManager
Novell eDirectory 8.8 SP7 Patch 3 for Linux
Novell iManager 2.7 SP6 Patch 1

Situation

What's New?    
 
Additional XDAS functionality is enabled with eDirectory 8.8 SP7 Patch 3 and a new XDAS plugin for iManager.  Among the new features are:
- new configuration attribute
- new interface for the iManager plugin
- feature parity with eDirectory Instrumentation
- ability to filter replicated events
- object class and attribute filtering
- Select all / Deselect all events option
    
In order to enable this new functionality on eDirectory 8.8 SP7 Patch 3, some manual steps are required whether this is a first time setup or an existing one.  If eDirectory 8.8 SP8 is installed the schema update and updating the XDAS configuration update steps can be skipped.
 
New configuration attribute
- The latest edirxdas.sch file laid down by applying eDirectory 8.8 SP7 Patch 3 is used to extend schema.
 
New iManager interface
- Available after installing and using the latest 'eDirectory88 Plugins' available from the iManager plugin update service.  (Note: do not select the 'eDirectory Instrumentation' plugin from the list.  The instrumentation plugin is part of the 88 plugins and will get installed as well.)
- If there is an existing configuration then it must be migrated to the new configuration attribute using the new migration option within the iManager XDAS plugin.

Resolution

 

Non-OES Linux Quick Start Example

 

 A. Configuring XDAS

 
1. Patch server to eDirectory to 8.8 SP7 Patch 3 or greater.  8.8 SP7 Patch 3 for Linux can be found here:
eDirectory 8.8 SP7 Patch 3 for Linux & Unix.  (Note: the latest version of iManager can be found on https://dl.netiq.com.)
 
This can be verified by running ndsstat at the command line.
 
 
 
 
 
2. Extend schema for XDAS using the edirxdas.sch file laid down by the eDirectory 887 Patch 3 installer.
(ndssch -t MY_TREE admin.myorg /opt/novell/eDirectory/lib64/nds-schema/edirxdas.sch)
 
 
Alternately, one can access the schema files via the edir887_patch3_schema.zip file found in this patch:
  NOTE: If eDirectory 8.8 SP8 is installed the schema has already been extended.  Step 2 can be skipped.
 
 
3. Patch iManager to 2761 HF1.  iManager patches can be found by going to https://download.novell.com/patch/finder/ and selecting the appropriate drop down.
 
4. Download and install the new 'eDirectory88 Plugins' plugin for iManager.  At the time this TID was written the latest is:
- eDirectory88 Plugins 2.7.20130214 eDirectory88 Plugins. 
To check for your version of plugin, within iManager go to: Configure - Plug-in Installation - Available Plugins.
 
(NOTE: The eDirectory88 Plugin installs the latest Instrumentation Plugin.  Do not install the older standalone eDirectory Instrumentation plugin.  This will prevent the new plugin's UI from being displayed.  If this plugin was installed, uninstall both plugins then re-install the latest eDirectory88 Plugins.)
 
 
 
 
5. Stop and start Tomcat  
/etc/init.d/novell-tomcatx restart       (where x is the version of Tomcat on the server)
 
 
6. Update RBS if configured
The eDirectory Auditing Role will not show up if this step is skipped.
 
 
7. Stop and start Tomcat again if RBS was updated in Step 6.      
/etc/init.d/novell-tomcatx restart       (where x is the version of Tomcat on the server) 
 
 
8. Modify the XDAS configuration file
Edit /etc/opt/novell/eDirectory/conf/xdasconfig.properties and uncomment\modify the following for Rolling File Appender
log4j.rootLogger=debug, R
log4j.appender.R=org.apache.log4j.RollingFileAppender
log4j.appender.R.File=/var/opt/novell/eDirectory/log/xdas-events.log
log4j.appender.R.MaxFileSize=100MB
log4j.appender.R.MaxBackupIndex=10
log4j.appender.R.layout=org.apache.log4j.PatternLayout
log4j.appender.R.layout.ConversionPattern=%d{MMM dd HH:mm:ss} %c : %p%m%n

 
 
 
 
9. Modify the ndsmodules.conf file to autoload the xdas module
Uncomment the xdasauditds section of the /etc/opt/novell/eDirectory/conf/ndsmodules.conf file.  If it is not listed then add the following to the end of the file
   - xdasauditds       auto      #XDASauditds
 
 
 
 
10. Load the xdas module 
- ndstrace -c "load xdasauditds"
 
11. Verify it is running
- A tail of the /var/opt/novell/eDirectory/log/ndsd.log should show 'NetIQ eDirectory XDASv2 Instrumentation module started'
- Running 'ndstrace -c modules |grep xdasauditds' should return
xdasauditds     Running
 
 
7. Configure XDAS auditing in iManager.  Role: eDirectory Auditing - Audit Configuration - select server then the auditing options. 
The new UI is invoked if the Global option: Do Not Send Replicated Events is seen under the XDASEvents tab.
 
NEW:
 
OLD:
 
If the old UI is still displayed (Global option is not seen) and the Upgrade XDAS Configuration option is displayed select this Upgrade link and refresh the browser when instructed.  The auditing options (Object classes, attributes, events, etc.) can now be configured.  (See Step B below.)
                                      
8. Once the auditing configuration is complete wait 3 minutes for the new configuration to load or type the following commands to restart the XDAS module:
ndstrace -c "unload xdasauditds"
ndstrace -c "load xdasauditds"
 
The events will be collected in the log file specified in the previously modified /etc/opt/novell/eDirectory/conf/xdasconfig.properties file.  The default for the Rolling File Appender is /var/opt/novell/eDirectory/log/xdas-events.log.
 
* To view the server's current event configuration the following ldap command can be used:
/opt/novell/eDirectory/bin/ldapsearch -x -h x.x.x.x -D cn=admin,o=novell -w novell cn=SERVERNAME xdasConfiguration
 
 

B. Configuring Event Filters

 
In this example the customer is only concerned with tracking changes of his users' Telephone Number attribute value.  In order to do this the correct class or set of events then the event itself must be selected.  In reviewing the XDASv2 Administration Guide one can see these listed in Appendix A with a description of each in Section 3.4.1.  The event classes or sets that are available to the administrator are:
 
Account Management Events
Session Management Events
Data Item and Resource Element Management Events
Service or Application Management Events
Service or Application Utilization Events
Peer Association Management Events
Data Item or Resource Element Content Access Events
Work Flow Management Events
Role Management Events
Exceptional Events
Audit Service Management Events
Authentication Event
 
It is determined that selecting the Create and Delete Role events under the Role Management class will log all changes to an attribute (deletes and adds).  This information can be found in the XDAS Admin guide as well as the XDAS user guides found here:
http://openxdas.sourceforge.net/documentation.html .  The following steps show how to configure the filter using the XDAS iManager plugin.
 
 
1. Log into iManager and navigate to the eDirectory Auditing - Audit Configuration task.  Select the server and click on OK.
 
2. Ensure the XDAS Events tab is selected at the top of the screen.  Scroll down the event sets under the XDAS Events Configuration Section until the Role Management set is seen.  The attribute to be logged can be selected by clicking on the Role Management Events link.
 
 
 
3. On the next screen, XDAS Roles Configuration Filtering, scroll through the Available Attribute(s) until Telephone Number is seen.  Highlight the attribute, add it to the Selected Attribute(s) and click on OK.  * 
 
 
 
4. Once back at the Role Management Events class, select both the Create Role and the Delete Role.  Select both DS and LDAP type events then click on OK.  **
 
 
 
5. Once the audit filter configuration is complete wait 3 minutes for the new configuration to load or type the following commands to restart the XDAS module:
ndstrace -c "unload xdasauditds"
ndstrace -c "load xdasauditds"
 
The ldap search return from " /opt/novell/eDirectory/bin/ldapsearch -x -h x.x.x.x -D cn=admin,o=novell -w novell cn=SERVERNAME xdasConfiguration " should show the following audit attributes on the ncp server object:
xdasConfiguration: loglargevalues=false
xdasConfiguration: DSNoReplicatedEvents=1
xdasConfiguration: dsaccount=
xdasConfiguration: ldapaccount=
xdasConfiguration: xdasEvents=CREATE_ROLE$DS$LDAP$$DELETE_ROLE$DS$LDAP
xdasConfiguration: dsrole=$$Telephone Number
xdasConfiguration: ldaprole=$$telephoneNumber
 
 
The event data in the xdas event log from adding a Telephone Number value of 777-7777 to user object testuser1.novell.
 
Jan 06 16:52:11 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "HV_888TREE_8","Name" : "CN=SLES11SP2-SVR1,O  =novell"},"Entity" : {"SysAddr" : "192.168.1.1","SysName" : "mysvr8"}},"Initiator" : {"Account" : {"Name" : "CN=admin,O=novell","Id" : "32806"}  ,"Entity" : {"SysAddr" : "192.168.1.1:3457"}},"Target" : {"Data" : {"Attribute Name" : "Telephone Number","Attribute Value" : "777-7777","Cl  assName" : "User","Name" : "CN=testuser1,O=novell","Syntax" : "10"}},"Action" : {"Event" : {"Id" : "0.0.8.0","Name" : "CREATE_ROLE","CorrelationID"   : "eDirectory#20#26dc4b35-011e-4e48-4b95-354bdc261e01","SubEvent" : "DSE_ADD_VALUE"},"Time" : {"Offset" : 1389052331},"Log" : {"Severity" : 7},  "Outcome" : "0","ExtendedOutcome" : "0"}}
 
 

 
Notes:
 
* Currently, in the XDAS Roles Configuration Filtering screen, either an attribute or an object class can be selected.  In the version that ships with eDirectory 8.8 SP8 selecting both is not supported.
** While on the XDAS Events Configuration Section - Role Management, if the Modify Role is selected an additional (and unwanted) logging of modifiersname is added to the log.

Additional Information

__________________________________________________________________________________
9.0.3 NOTES

There have been significant changes in the taxonomy mapping of the PA and XDAS.  The following are some of the more significant changes.

Account Management Events = XDAS Account Configuration Filtering
Trust Management Events = XDAS Trust Configuration Filtering
Data Item Management Events = XDAS Data Item Configuration Filtering
From Bug 1028796


MAPPINGS
- There are no concepts such as roles or data item associations.  Therefore, "ROLE MANAGEMENT EVENTS" and "DATA ITEM OR RESOURCE ELEMENT CONTENT ACCESS EVENTS" have been completely removed.
- eDirectory does not have the concept of an Account.  All entries/objects will be treated as Accounts by eDirectory.
- All attributes related to entries/objects in Directory will be treated as DATA_ITEM in XDAS.
- Adding and Deleting of a member will be represented by Associate and Deassociate Trust respectively.
- Login Disabled and Login Enabled will be represented by Disable and Enable Account respectively.
- Password changes will be represented by MODIFY_ACCOUNT_SECURITY_TOKEN.
- ACL changes will be represented by Associate and Deassociate Trust.
- Intruder Lockout will be represented by Create Session with Details.
NEW FILTERING
- For Account related events: Users can select the ObjectClass for which they want to monitor.
- For Data Item related Events: User can select the class and the attributes, for which they want to be monitored. Filter will be calculated as "ObjectClass AND Attribute".
NMAS
- NMAS XDAS events are also merged with eDir Event System and now NMAS events will be registered through the same eDir XDAS iManager Plugin page.
EVENTID
- For XDAS EventIDs which overlap in Sentinel and eDir XDASv2 taxonomy or XDAS Event IDs present in Sentinel but not present in eDir XDASv2 taxonomy, a new ID is created which is converted to Sentinel ID inside the collector.

Bug 1029729
- The "Verify Password" authentication event from eDirectory is mislabelled as an account management event: Earlier, we were mapping DSE_NMAS_LOG_FINISH_VERIFY_STATUS for password verification but now we will use only DSE_VERIFY_PASS event for Verify password. NMAS will always throw DSE_VERIFY_PASS event for paswords verifications.

- There is no XDAS event for checking passwords against password policies: Mapped "DSE_NMAS_LOG_CHECK_PWD_SYNTAX_POLICY" event to QUERY_ACCOUNT_SECURITY_TOKEN event.

Does not get Modify Data Item event with DSE_MOVE_SUBTREE vendor code: Modified the code to report DSE_MOVE_SUBTREE correctly.

ObserverHostName should have the name of the host eDirectory is running on: Modified the code to send the FQDN of the host, eDirectory is running on.

Grant and Revoke Events needs to be moved to Security Events Section - bug 1027095




__________________________________________________________________________________
8.8 SP8 Selected XDAS-iMonitor DS/LDAP Mappings:
 
- "CREATE_ACCOUNT" --> DSE_CREATE_BINDERY_OBJECT DSE_CREATE_ENTRY DSE_LDAP_ADD DSE_LDAP_ADDRESPONSE DSE_NAME_COLLISION
- "DELETE_ACCOUNT" --> DSE_DELETE_BINDERY_OBJECT DSE_DELETE_ENTRY DSE_LDAP_DELETE DSE_LDAP_DELETERESPONSE DSE_MOVE_SOURCE_ENTRY DSE_REMOVE_ENTRY
- "ENABLE_ACCOUNT" --> DSE_ADD_VALUE
- "DISABLE_ACCOUNT" --> DSE_ADD_VALUE DSE_LOGIN
- "MODIFY_ACCOUNT" --> DSE_ADD_VALUE DSE_DELETE_ATTRIBUTE DSE_DELETE_VALUE DSE_LDAP_MODDN DSE_LDAP_MODDNRESPONSE DSE_LDAP_MODIFY DSE_LDAP_MODIFYRESPONSE -DSE_MERGE_ENTRIES DSE_MODIFY_ENTRY DSE_MODIFY_RDN DSE_RENAME_ENTRY
- "CREATE_ROLE" --> DSE_CREATE_ENTRY DSE_ADD_VALUE DSE_LDAP_ADD DSE_LDAP_ADDRESPONSE DSE_NAME_COLLISION DSE_ADD_ENTRY
- "DELETE_ROLE" --> DSE_DELETE_ENTRY DSE_DELETE_VALUE DSE_LDAP_DELETE DSE_LDAP_DELETERESPONSE DSE_MOVE_SOURCE_ENTRY DSE_REMOVE_ENTRY
- "MODIFY_ROLE" --> DSE_ADD_VALUE DSE_DELETE_ATTRIBUTE DSE_DELETE_VALUE DSE_LDAP_MODIFY DSE_LDAP_MODIFYRESPONSE DSE_MERGE_ENTRIES DSE_MODIFY_ENTRY DSE_MODIFY_RDN DSE_RENAME_ENTRY
- "AUTHENTICATE_SESSION" --> DSE_LDAP_BIND DSE_LDAP_BINDRESPONSE DSE_LOGIN
- "UNAUTHENTICATE_SESSION" --> DSE_LDAP_UNBIND DSE_LOGOUT
- "CREATE_ACCESS_TOKEN" --> DSE_ALLOW_LOGIN DSE_GEN_CA_KEYS DSE_RECERT_PUB_KEY
 
Assimilating the DSE_* events from the above list, the events to eDirectory function would be as follows:
 
DSE_ADD_ENTRY - Add Entry
DSE_ADD_VALUE - Add Value
DSE_ALLOW_LOGIN - Allow login
DSE_CREATE_BINDERY_OBJECT - Create Bindery Object
DSE_CREATE_ENTRY - Create Entry
DSE_DELETE_ATTRIBUTE - Delete Attribute
DSE_DELETE_BINDERY_OBJECT - Delete Bindery Object
DSE_DELETE_ENTRY - Delete Entry
DSE_DELETE_VALUE - Delete Value
DSE_GEN_CA_KEYS - Generate CA Keys
DSE_LDAP_ADD - LDAP Add
DSE_LDAP_ADDRESPONSE - LDAP Add Response
DSE_LDAP_BIND - LDAP Bind
DSE_LDAP_BINDRESPONSE LDAP Bind Response
DSE_LDAP_DELETE - LDAP Delete
DSE_LDAP_DELETERESPONSE - LDAP Delete Response
DSE_LDAP_MODDN - LDAP Modify DN
DSE_LDAP_MODDNRESPONSE - LDAP Modify DN Response
DSE_LDAP_MODIFY - LDAP Modify
DSE_LDAP_MODIFYRESPONSE - LDAP Modify Response
DSE_LDAP_UNBIND - LDAP Unbind
DSE_LOGIN - Login
DSE_LOGOUT - Logout
DSE_MERGE_ENTRIES - Merge Entries
DSE_MODIFY_ENTRY - Modify Entry
DSE_MODIFY_RDN - Modify RDN
DSE_MOVE_SOURCE_ENTRY - Move Source Entry
DSE_NAME_COLLISION - Name Collision
DSE_RECERT_PUB_KEY - Recert Public Key
DSE_REMOVE_ENTRY - Remove Entry
DSE_RENAME_ENTRY - Rename Entry