Adding the auditing attribute to the LDAP schema

The new auditing attribute required for ESFs selective auditing feature is an optional attribute for user, user group, and resource object classes. If the LDAP schema of your Directory Server has already been extended with Micro Focus attributes and object classes, but without the microfocus-MFDS-Audit attribute, the new attribute can be added in one of the following ways, depending on the type of LDAP server:

Microsoft Active Directory:

Save the following file as mf-selective-audit-attr.ldf:

dn: CN=microfocus-MFDS-Audit,DC=X
changetype: add
cn: microfocus-MFDS-Audit
lDAPDisplayName: microfocus-MFDS-Audit
adminDisplayName: microfocus-MFDS-Audit
oMSyntax: 1
attributeSyntax: 2.5.5.8
objectClass: attributeSchema
schemaIDGUID:: xmDwqgutS4ycMWycKH9dmc==
attributeID: 1.3.6.1.4.1.5043.1.1.0.400.10
isSingleValued: TRUE
adminDescription: MFDS SAF selective auditing attribute
description: MFDS SAF selective auditing attribute

Then run the command:

ldifde -i -f mf-selective-audit-attr.ldf -k -v -j . -c "DC=X" #schemaNamingContext

Additional command-line options, such as login credentials or port numbers may be required, depending on where the Active Directory instance is running and whether the current user has administration access.

To extend the required objectClasses to use the new attribute:

  • If you are using "microfocus-MFDS-User" objectClass to define Enterprise Server users:
    1. Save the following file as mf-selective-auditing-classes.ldf:
      dn: CN=microfocus-MFDS-User,DC=X
      changetype: modify
      add: mayContain
      mayContain: microfocus-MFDS-Audit
      -
      dn: CN=microfocus-MFDS-Group,DC=X
      changetype: modify
      add: mayContain
      mayContain: microfocus-MFDS-Audit
      -
      DN:
      changetype: modify
      add: schemaUpdateNow
      schemaUpdateNow: 1
      -
      dn: CN=microfocus-MFDS-Resource,DC=X
      changetype: modify
      add: mayContain
      mayContain: microfocus-MFDS-Audit
      -
      DN:
      changetype: modify
      add: schemaUpdateNow
      schemaUpdateNow: 1
    2. Then run the command:
      ldifde -i -f mf-selective-audit-classes.ldf -k -v -j . -c "DC=X" #schemaNamingContext
  • If you are using existing MS "user" objectClass to define Enterprise Server users:
    1. Save the following file as mf-selective-auditing-classes.ldf:
      dn: CN=user,DC=X
      changetype: modify
      add: mayContain
      mayContain: microfocus-MFDS-Audit
      -
      DN:
      changetype: modify
      add: schemaUpdateNow
      schemaUpdateNow: 1
      -
      dn: CN=microfocus-MFDS-Group,DC=X
      changetype: modify
      add: mayContain
      mayContain: microfocus-MFDS-Audit
      -
      DN:
      changetype: modify
      add: schemaUpdateNow
      schemaUpdateNow: 1
      -
      dn: CN=microfocus-MFDS-Resource,DC=X
      changetype: modify
      add: mayContain
      mayContain: microfocus-MFDS-Audit
      -
      DN:
      changetype: modify
      add: schemaUpdateNow
      schemaUpdateNow: 1
    2. Then run the command:
      ldifde -i -f mf-selective-audit-classes.ldf -k -v -j . -c "DC=X" #schemaNamingContext

OpenLDAP

If you are using OpenLDAP, add the following text into the existing Micro Focus schema extensions file:

attributeType ( 1.3.6.1.4.1.5043.1.1.0.400.10 NAME 'microfocus-MFDS-Audit'
	DESC 'MFDS SAF selective auditing attribute'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
	SINGLE-VALUE  )

To add the auditing attribute to existing user, user group, and resource objectClasses add the new attribute to the MAY sections of the 'microfocus-MFDS-User', 'microfocus-MFDS-Group' and 'microfocus-MFDS-Resource' objectclass definitions, for example:

objectclass ( 1.3.6.1.4.1.5043.1.2.1.1000 NAME 'microfocus-MFDS-User'
	DESC 'The user object class used to define entries representing Micro Focus user profiles'
	MUST ( 	cn $ 
			      microfocus-MFDS-UID $ 
			      microfocus-MFDS-User-MTO-Priority $ 
			      microfocus-MFDS-User-MTO-Timeout $ 
			      microfocus-MFDS-User-MTO-OperatorClass $ 
			      microfocus-MFDS-User-AllowLogon )
	MAY ( 	 microfocus-MFDS-CustomText $ 
			      microfocus-MFDS-User-MTO-OperatorID $ 
			      microfocus-MFDS-User-MTO-GroupPrefix $ 
			      microfocus-MFDS-User-Pwd $ 
			      microfocus-MFDS-User-ExpirationDate $ 
			      microfocus-MFDS-User-DefaultGroup $ 
			      microfocus-MFDS-User-Pwd-MustChange $ 
			      microfocus-MFDS-User-Pwd-ExpirationDate $ 
			      microfocus-MFDS-User-CreateToken $ 
			      microfocus-MFDS-User-UseToken $ 
			      microfocus-MFDS-User-LastLoginTime $ 
			      microfocus-MFDS-User-Pwd-History $ 
			      microfocus-MFDS-User-LoginAttempts $
			      microfocus-MFDS-Audit $
			      displayName $
			      description )