Este contenido no está disponible en el idioma seleccionado.

Chapter 5. Auditing IdM API operations


Identity Management (IdM) servers use the systemd journal to create audit records of all IdM API operations. To audit operations and troubleshoot issues, you can query the journal to see who performed actions, when, and on which server.

5.1. Overview of IdM API auditing

An IdM server records any use of the Identity Management (IdM) API in the systemd journal. This provides a unified method to collect logs for auditing API operations.

The systemd journal allows for centralized collection of logs from individual systems, which can then be queried and filtered.

Each log entry is tagged with an IPA.API marker and contains the following details in a structured format:

  • The authenticated Kerberos principal that performed the action, or [autobind] if the operation was performed by the root user directly on the server through LDAPI.
  • The name of the API command that was executed.
  • The result of the execution, which is either SUCCESS or an exception name.
  • An LDAP backend instance identifier, which is the same for all operations performed as part of the same request.
  • A list of arguments and options passed to the command, in JSON format.

You can query these entries with the journalctl utility. Using journalctl with the -x option provides a more detailed, human-readable explanation of the log entry, including links to the relevant documentation.

Note

All IdM API audit entries have a MESSAGE_ID property set to the application UID 6d70f1b493df36478bc3499257cd3b17.

5.2. Viewing the IdM API audit logs

You can view the IdM API audit logs and details of a specific entry by querying the systemd journal. This procedure shows how to identify and display logs of a user deletion using the IdM API.

Prerequisites

  • You have root access to the IdM server.
  • The IdM server is running RHEL 9.5 or later.

Procedure

  1. To see a list of all IdM API operations recorded in the journal, filter the journal for the IPA.API marker:

    # journalctl -g IPA.API
    May 23 10:30:15 idmserver.idm.example.com /usr/bin/ipa[247422]: [IPA.API] [autobind]: user_del: SUCCESS [ldap2_140328582446688] {"uid": ["example_user"], "continue": false, "version": "2.253"}
    May 23 10:32:01 idmserver.idm.example.com /usr/bin/ipa[247555]: [IPA.API] admin@IDM.EXAMPLE.COM: user_add: SUCCESS [ldap2_140328582446999] {"uid": ["new_user"], "givenname": "New", "sn": "User", "cn": "New User"}
    May 23 10:33:10 idmserver.idm.example.com /mod_wsgi[247035]: [IPA.API] admin@IDM.EXAMPLE.COM: ping: SUCCESS [ldap2_139910420944784] {"version": "2.253"}
    May 23 10:34:05 idmserver.idm.example.com /usr/bin/ipa[247888]: [IPA.API] [autobind]: group_add_member: SUCCESS [ldap2_140328582447111] {"cn": "admins", "user": "new_user"}
    Copy to Clipboard Toggle word wrap

    The output shows a summary of each API call, including the user, the command, the result, the unique connection ID, and parameters used.

  2. Identify a unique identifier for the specific entry you want to inspect. For example, the user_del call has the LDAP backend instance identifier ldap2_140328582446688.
  3. Use journalctl with the -x option and the unique identifier value to get a detailed explanation of the user deletion log entry:

    # journalctl -x -g ldap2_140328582446688
    May 23 10:30:15 idmserver.idm.example.com /usr/bin/ipa[255232]: [IPA.API] [autobind]: user_del: SUCCESS [ldap2_140328582446688] {"uid": ["example_user"], "continue": false, "version": "2.253"}
    -- Subject: IdM API command was executed and result of its execution was audited
    -- Defined-by: FreeIPA
    -- Support: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/
    -- Documentation: man:ipa(1)
    -- Documentation: https://freeipa.readthedocs.io/en/latest/api/index.html
    -- Documentation: https://freeipa.readthedocs.io/en/latest/api/user_del.html
    
    -- Identity Management provides an extensive API that allows to manage all aspects of IdM deployments.
    
    -- The following information about the API command executed is available:
    
    -- [IPA.API] [autobind]: user_del: SUCCESS [ldap2_140328582446688] {"uid": ["example_user"], "continue": false, "version": "2.253"}
    
    -- The command was executed by '/usr/bin/ipa' utility. If the utility name
    -- is '/mod_wsgi`, then this API command came from a remote source through the IdM
    -- API end-point.
    
    -- The message includes following fields:
    
    --   - executable name and PID ('/mod_wsgi' for HTTP end-point; in this case it
    --     was '/usr/bin/ipa' command)
    
    --   - '[IPA.API]' marker to allow searches with 'journalctl -g IPA.API'
    
    --   - authenticated Kerberos principal or '[autobind]' marker for LDAPI-based
    --     access as root. In this case it was '[autobind]'
    
    --   - name of the command executed, in this case 'user_del'
    
    --   - result of execution: SUCCESS or an exception name. In this case it was
    --     'SUCCESS'
    
    --   - LDAP backend instance identifier. The identifier will be the same for all
    --     operations performed under the same request. This allows to identify operations
    --     which were executed as a part of the same API request instance. For API
    --     operations that didn't result in LDAP access, there will be
    --     '[no_connection_id]' marker.
    
    --   - finally, a list of arguments and options passed to the command is provided
    --     in JSON format.
    
    -- ---------
    -- The following list of arguments and options were passed to the command
    -- 'user_del' by the '[autobind]' actor:
    --
    -- {"uid": ["example_user"], "continue": false, "version": "2.253"}
    -- ---------
    
    -- A detailed information about Identity Management API can be found at upstream documentation API reference:
    -- https://freeipa.readthedocs.io/en/latest/api/index.html
    
    -- For details on the IdM API command 'user_del' see
    -- https://freeipa.readthedocs.io/en/latest/api/user_del.html
    Copy to Clipboard Toggle word wrap

Additional resources

  • journalctl(1) man page on your system
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat