The new auditing attribute required for ESFs selective auditing feature is an optional attribute for user, user group, and resource object classes. If the LDAP schema of your Directory Server has already been extended with Micro Focus attributes and object classes, but without the microfocus-MFDS-Audit attribute, the new attribute can be added in one of the following ways, depending on the type of LDAP server:
Save the following file as mf-selective-audit-attr.ldf:
dn: CN=microfocus-MFDS-Audit,DC=X changetype: add cn: microfocus-MFDS-Audit lDAPDisplayName: microfocus-MFDS-Audit adminDisplayName: microfocus-MFDS-Audit oMSyntax: 1 attributeSyntax: 2.5.5.8 objectClass: attributeSchema schemaIDGUID:: xmDwqgutS4ycMWycKH9dmc== attributeID: 1.3.6.1.4.1.5043.1.1.0.400.10 isSingleValued: TRUE adminDescription: MFDS SAF selective auditing attribute description: MFDS SAF selective auditing attribute
Then run the command:
ldifde -i -f mf-selective-audit-attr.ldf -k -v -j . -c "DC=X" #schemaNamingContext
Additional command-line options, such as login credentials or port numbers may be required, depending on where the Active Directory instance is running and whether the current user has administration access.
To extend the required objectClasses to use the new attribute:
dn: CN=microfocus-MFDS-User,DC=X changetype: modify add: mayContain mayContain: microfocus-MFDS-Audit - dn: CN=microfocus-MFDS-Group,DC=X changetype: modify add: mayContain mayContain: microfocus-MFDS-Audit - DN: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - dn: CN=microfocus-MFDS-Resource,DC=X changetype: modify add: mayContain mayContain: microfocus-MFDS-Audit - DN: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1
ldifde -i -f mf-selective-audit-classes.ldf -k -v -j . -c "DC=X" #schemaNamingContext
dn: CN=user,DC=X changetype: modify add: mayContain mayContain: microfocus-MFDS-Audit - DN: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - dn: CN=microfocus-MFDS-Group,DC=X changetype: modify add: mayContain mayContain: microfocus-MFDS-Audit - DN: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - dn: CN=microfocus-MFDS-Resource,DC=X changetype: modify add: mayContain mayContain: microfocus-MFDS-Audit - DN: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1
ldifde -i -f mf-selective-audit-classes.ldf -k -v -j . -c "DC=X" #schemaNamingContext
If you are using OpenLDAP, add the following text into the existing Micro Focus schema extensions file:
attributeType ( 1.3.6.1.4.1.5043.1.1.0.400.10 NAME 'microfocus-MFDS-Audit' DESC 'MFDS SAF selective auditing attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
To add the auditing attribute to existing user, user group, and resource objectClasses add the new attribute to the MAY sections of the 'microfocus-MFDS-User', 'microfocus-MFDS-Group' and 'microfocus-MFDS-Resource' objectclass definitions, for example:
objectclass ( 1.3.6.1.4.1.5043.1.2.1.1000 NAME 'microfocus-MFDS-User' DESC 'The user object class used to define entries representing Micro Focus user profiles' MUST ( cn $ microfocus-MFDS-UID $ microfocus-MFDS-User-MTO-Priority $ microfocus-MFDS-User-MTO-Timeout $ microfocus-MFDS-User-MTO-OperatorClass $ microfocus-MFDS-User-AllowLogon ) MAY ( microfocus-MFDS-CustomText $ microfocus-MFDS-User-MTO-OperatorID $ microfocus-MFDS-User-MTO-GroupPrefix $ microfocus-MFDS-User-Pwd $ microfocus-MFDS-User-ExpirationDate $ microfocus-MFDS-User-DefaultGroup $ microfocus-MFDS-User-Pwd-MustChange $ microfocus-MFDS-User-Pwd-ExpirationDate $ microfocus-MFDS-User-CreateToken $ microfocus-MFDS-User-UseToken $ microfocus-MFDS-User-LastLoginTime $ microfocus-MFDS-User-Pwd-History $ microfocus-MFDS-User-LoginAttempts $ microfocus-MFDS-Audit $ displayName $ description )