Ticket 48145 - RFE Add log file for rejected changes

https://fedorahosted.org/389/ticket/48145
http://www.port389.org/docs/389ds/design/audit_improvement.html

Bug Description:   Add log file for rejected changes: This will help with
debug third party and other applications that are failing to connect to or
work correctly with ldap servers.

Fix Description:  The bulk of this code is duplication of existing audit log
code. The remainder that is new is configuration items in schema, an update
to the template dse.ldif for installation, hooking in add.c, delete.c,
modify.c and modrdn.c. Finally, we extract the return code in
write_auditfail_log_entry and insert this to the fail log.

You can enable this with:

cn=config
nsslapd-auditfaillog-logging-enabled: on

The auditfail log is:

var/log/dirsrv/slapd-%instance%/auditfail

And contains entries such as:

time: 20151111152800
dn: uid=test,dc=example,dc=com
result: 65
changetype: modify
replace: objectClass
objectClass: account
objectClass: posixGroup
objectClass: simpleSecurityObject
objectClass: top
-

Note the result maps to the ldap result code, in this case 65 == 0x41
LDAP_OBJECT_CLASS_VIOLATION     0x41

Author: wibrown

Review by: mreynolds, nhosoi (Thanks!)

ldap/ldif/template-dse.ldif.in

@@ -52,6 +52,11 @@ nsslapd-auditlog-mode: 600
 nsslapd-auditlog-maxlogsize: 100
 nsslapd-auditlog-logrotationtime: 1
 nsslapd-auditlog-logrotationtimeunit: day
+nsslapd-auditfaillog: %log_dir%/auditfail
+nsslapd-auditfaillog-mode: 600
+nsslapd-auditfaillog-maxlogsize: 100
+nsslapd-auditfaillog-logrotationtime: 1
+nsslapd-auditfaillog-logrotationtimeunit: day
 nsslapd-rootdn: %rootdn%
 nsslapd-rootpw: %ds_passwd%
 nsslapd-maxdescriptors: 1024

ldap/schema/01core389.ldif

@@ -278,6 +278,19 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2311 NAME 'nsds5ReplicaFlowControlPause'
 attributeTypes: ( 2.16.840.1.113730.3.1.2313 NAME 'nsslapd-changelogtrim-interval' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2314 NAME 'nsslapd-changelogcompactdb-interval' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2315 NAME 'nsDS5ReplicaWaitForAsyncResults' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2316 NAME 'nsslapd-auditfaillog-maxlogsize' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2317 NAME 'nsslapd-auditfaillog-logrotationsync-enabled' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2318 NAME 'nsslapd-auditfaillog-logrotationsynchour' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2319 NAME 'nsslapd-auditfaillog-logrotationtime' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2320 NAME 'nsslapd-auditfaillog-logrotationtimeunit' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2321 NAME 'nsslapd-auditfaillog-logmaxdiskspace' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2322 NAME 'nsslapd-auditfaillog-logminfreediskspace' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2323 NAME 'nsslapd-auditfaillog-logexpirationtime' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2324 NAME 'nsslapd-auditfaillog-logexpirationtimeunit' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2325 NAME 'nsslapd-auditfaillog-logging-enabled' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2326 NAME 'nsslapd-auditfaillog-logging-hide-unhashed-pw' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2327 NAME 'nsslapd-auditfaillog' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2328 NAME 'nsslapd-auditfaillog-list' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )
 #
 # objectclasses
 #

ldap/servers/slapd/add.c

@@ -753,6 +753,11 @@ static void op_shared_add (Slapi_PBlock *pb)
 					operation_out_of_disk_space();
 					goto done;
 				}
+				/* If the disk is full we don't want to make it worse ... */
+				if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_AUDIT))
+				{ 
+					write_auditfail_log_entry(pb); /* Record the operation in the audit log */
+				}
 			}
 		}
 		else

ldap/servers/slapd/auditlog.c

@@ -26,10 +26,12 @@ char	*attr_changetype	= ATTR_CHANGETYPE;
 char	*attr_newrdn		= ATTR_NEWRDN;
 char	*attr_deleteoldrdn	= ATTR_DELETEOLDRDN;
 char	*attr_modifiersname = ATTR_MODIFIERSNAME;
-static int hide_unhashed_pw = 1;
+
+static int audit_hide_unhashed_pw = 1;
+static int auditfail_hide_unhashed_pw = 1;
 
 /* Forward Declarations */
-static void write_audit_file( int optype, const char *dn, void *change, int flag, time_t curtime );
+static void write_audit_file(int logtype, int optype, const char *dn, void *change, int flag, time_t curtime, int rc );
 
 void
 write_audit_log_entry( Slapi_PBlock *pb )
@@ -76,9 +78,60 @@ write_audit_log_entry( Slapi_PBlock *pb )
     curtime = current_time();
     /* log the raw, unnormalized DN */
     dn = slapi_sdn_get_udn(sdn);
-    write_audit_file( operation_get_type(op), dn, change, flag, curtime );
+    write_audit_file(SLAPD_AUDIT_LOG, operation_get_type(op), dn, change, flag, curtime, 0);
 }
 
+void
+write_auditfail_log_entry( Slapi_PBlock *pb )
+{
+    time_t curtime;
+    Slapi_DN *sdn;
+    const char *dn;
+    void *change;
+    int flag = 0;
+    Operation *op;
+    int pbrc = 0;
+
+    /* if the audit log is not enabled, just skip all of
+       this stuff */
+    if (!config_get_auditfaillog_logging_enabled()) {
+        return;
+    }
+
+    slapi_pblock_get( pb, SLAPI_OPERATION, &op );
+    slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+
+    slapi_pblock_get( pb, SLAPI_RESULT_CODE, &pbrc );
+
+    switch ( operation_get_type(op) )
+    {
+    case SLAPI_OPERATION_MODIFY:
+        slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &change );
+        break;
+    case SLAPI_OPERATION_ADD:
+    	slapi_pblock_get( pb, SLAPI_ADD_ENTRY, &change );
+    	break;
+    case SLAPI_OPERATION_DELETE:
+        {
+        char * deleterDN = NULL;
+        slapi_pblock_get(pb, SLAPI_REQUESTOR_DN, &deleterDN);
+        change = deleterDN;
+        }
+        break;
+    case SLAPI_OPERATION_MODDN:
+        /* newrdn: change is just for logging -- case does not matter. */
+        slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &change );
+        slapi_pblock_get( pb, SLAPI_MODRDN_DELOLDRDN, &flag );
+        break;
+    default:
+        return; /* Unsupported operation type. */
+    }
+    curtime = current_time();
+    /* log the raw, unnormalized DN */
+    dn = slapi_sdn_get_udn(sdn);
+    /* If we are combined */
+    write_audit_file(SLAPD_AUDITFAIL_LOG, operation_get_type(op), dn, change, flag, curtime, pbrc);
+}
 
 
 /*
@@ -90,139 +143,174 @@ write_audit_log_entry( Slapi_PBlock *pb )
  *                     For a delete operation, may contain the modifier's DN.
  *            flag   - only used by modrdn operations - value of deleteoldrdn flag
  *            curtime - the current time
+ *            rc     - The ldap result code. Used in conjunction with auditfail
  * Returns: nothing
  */
 static void
 write_audit_file(
-    int			optype,
-    const char	*dn,
-    void		*change,
-    int			flag,
-    time_t		curtime
+    int         logtype,
+    int         optype,
+    const char  *dn,
+    void        *change,
+    int         flag,
+    time_t      curtime,
+    int         rc
 )
 {
-    LDAPMod	**mods;
-    Slapi_Entry	*e;
-    char	*newrdn, *tmp, *tmpsave;
-    int	len, i, j;
-    char	*timestr;
-    lenstr	*l;
+    LDAPMod **mods;
+    Slapi_Entry *e;
+    char    *newrdn, *tmp, *tmpsave;
+    int len, i, j;
+    char    *timestr;
+    char    *rcstr;
+    lenstr  *l;
 
     l = lenstr_new();
 
     addlenstr( l, "time: " );
     timestr = format_localTime( curtime );
     addlenstr( l, timestr );
-    slapi_ch_free((void **) &timestr );
+    slapi_ch_free_string(&timestr);
     addlenstr( l, "\n" );
     addlenstr( l, "dn: " );
     addlenstr( l, dn );
     addlenstr( l, "\n" );
 
+    addlenstr( l, "result: " );
+    rcstr = slapi_ch_smprintf("%d", rc);
+    addlenstr( l, rcstr );
+    slapi_ch_free_string(&rcstr);
+    addlenstr( l, "\n" );
+
+
     switch ( optype )
-	{
+    {
     case SLAPI_OPERATION_MODIFY:
-    	addlenstr( l, attr_changetype );
-    	addlenstr( l, ": modify\n" );
-    	mods = change;
-    	for ( j = 0; (mods != NULL) && (mods[j] != NULL); j++ )
-		{
-			int operationtype= mods[j]->mod_op & ~LDAP_MOD_BVALUES;
-
-			if((strcmp(mods[j]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD) == 0) && hide_unhashed_pw){
-				continue;
-			}
-    	    switch ( operationtype )
-			{
-    	    case LDAP_MOD_ADD:
-        		addlenstr( l, "add: " );
-        		addlenstr( l, mods[j]->mod_type );
-        		addlenstr( l, "\n" );
-        		break;
-
-    	    case LDAP_MOD_DELETE:
-        		addlenstr( l, "delete: " );
-        		addlenstr( l, mods[j]->mod_type );
-        		addlenstr( l, "\n" );
-        		break;
-
-    	    case LDAP_MOD_REPLACE:
-        		addlenstr( l, "replace: " );
-        		addlenstr( l, mods[j]->mod_type );
-        		addlenstr( l, "\n" );
-        		break;
-
-			default:
-				operationtype= LDAP_MOD_IGNORE;
-				break;
-    	    }
-			if(operationtype!=LDAP_MOD_IGNORE)
-			{
-    			for ( i = 0; mods[j]->mod_bvalues != NULL && mods[j]->mod_bvalues[i] != NULL; i++ )
-				{
-        			char *buf, *bufp;
-        			len = strlen( mods[j]->mod_type );
-        			len = LDIF_SIZE_NEEDED( len, mods[j]->mod_bvalues[i]->bv_len ) + 1;
-       				buf = slapi_ch_malloc( len );
-        			bufp = buf;
-        			slapi_ldif_put_type_and_value_with_options( &bufp, mods[j]->mod_type,
-        				mods[j]->mod_bvalues[i]->bv_val,
-        				mods[j]->mod_bvalues[i]->bv_len, 0 );
-        			*bufp = '\0';
-        			addlenstr( l, buf );
-        			slapi_ch_free( (void**)&buf );
-    			}
-			}
-    	    addlenstr( l, "-\n" );
-    	}
-    	break;
+        addlenstr( l, attr_changetype );
+        addlenstr( l, ": modify\n" );
+        mods = change;
+        for ( j = 0; (mods != NULL) && (mods[j] != NULL); j++ )
+        {
+            int operationtype= mods[j]->mod_op & ~LDAP_MOD_BVALUES;
+    
+            if(strcmp(mods[j]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD) == 0){
+                switch (logtype)
+                {
+                case SLAPD_AUDIT_LOG:
+                    if (audit_hide_unhashed_pw != 0) {
+                        continue;
+                    }
+                    break;
+                case SLAPD_AUDITFAIL_LOG:
+                    if (auditfail_hide_unhashed_pw != 0) {
+                        continue;
+                    }
+                    break;
+                }
+            }
+            switch ( operationtype )
+            {
+            case LDAP_MOD_ADD:
+                addlenstr( l, "add: " );
+                addlenstr( l, mods[j]->mod_type );
+                addlenstr( l, "\n" );
+                break;
+
+            case LDAP_MOD_DELETE:
+                addlenstr( l, "delete: " );
+                addlenstr( l, mods[j]->mod_type );
+                addlenstr( l, "\n" );
+                break;
+
+            case LDAP_MOD_REPLACE:
+                addlenstr( l, "replace: " );
+                addlenstr( l, mods[j]->mod_type );
+                addlenstr( l, "\n" );
+                break;
+
+            default:
+                operationtype= LDAP_MOD_IGNORE;
+                break;
+            }
+            if(operationtype!=LDAP_MOD_IGNORE)
+            {
+                for ( i = 0; mods[j]->mod_bvalues != NULL && mods[j]->mod_bvalues[i] != NULL; i++ )
+                {
+                    char *buf, *bufp;
+                    len = strlen( mods[j]->mod_type );
+                    len = LDIF_SIZE_NEEDED( len, mods[j]->mod_bvalues[i]->bv_len ) + 1;
+                    buf = slapi_ch_malloc( len );
+                    bufp = buf;
+                    slapi_ldif_put_type_and_value_with_options( &bufp, mods[j]->mod_type,
+                        mods[j]->mod_bvalues[i]->bv_val,
+                        mods[j]->mod_bvalues[i]->bv_len, 0 );
+                    *bufp = '\0';
+                    addlenstr( l, buf );
+                    slapi_ch_free( (void**)&buf );
+                }
+            }
+            addlenstr( l, "-\n" );
+        }
+        break;
 
     case SLAPI_OPERATION_ADD:
-    	e = change;
-    	addlenstr( l, attr_changetype );
-    	addlenstr( l, ": add\n" );
-    	tmp = slapi_entry2str( e, &len );
-    	tmpsave = tmp;
-    	while (( tmp = strchr( tmp, '\n' )) != NULL )
-		{
-    	    tmp++;
-    	    if ( !ldap_utf8isspace( tmp ))
-			{
-        		break;
-    	    }
-    	}
-    	addlenstr( l, tmp );
-    	slapi_ch_free((void**)&tmpsave );
-    	break;
+        e = change;
+        addlenstr( l, attr_changetype );
+        addlenstr( l, ": add\n" );
+        tmp = slapi_entry2str( e, &len );
+        tmpsave = tmp;
+        while (( tmp = strchr( tmp, '\n' )) != NULL )
+        {
+            tmp++;
+            if ( !ldap_utf8isspace( tmp ))
+            {
+                break;
+            }
+        }
+        addlenstr( l, tmp );
+        slapi_ch_free((void**)&tmpsave );
+        break;
 
     case SLAPI_OPERATION_DELETE:
-		tmp = change;
-    	addlenstr( l, attr_changetype );
-    	addlenstr( l, ": delete\n" );
-		if (tmp && tmp[0]) {
-			addlenstr( l, attr_modifiersname );
-			addlenstr( l, ": ");
-			addlenstr( l, tmp);
-			addlenstr( l, "\n");
-		}
-    	break;
+        tmp = change;
+        addlenstr( l, attr_changetype );
+        addlenstr( l, ": delete\n" );
+        if (tmp && tmp[0]) {
+            addlenstr( l, attr_modifiersname );
+            addlenstr( l, ": ");
+            addlenstr( l, tmp);
+            addlenstr( l, "\n");
+        }
+        break;
     
     case SLAPI_OPERATION_MODDN:
-    	newrdn = change;
-    	addlenstr( l, attr_changetype );
-    	addlenstr( l, ": modrdn\n" );
-    	addlenstr( l, attr_newrdn );
-    	addlenstr( l, ": " );
-    	addlenstr( l, newrdn );
-    	addlenstr( l, "\n" );
-    	addlenstr( l, attr_deleteoldrdn );
-    	addlenstr( l, ": " );
-    	addlenstr( l, flag ? "1" : "0" );
-    	addlenstr( l, "\n" );
+        newrdn = change;
+        addlenstr( l, attr_changetype );
+        addlenstr( l, ": modrdn\n" );
+        addlenstr( l, attr_newrdn );
+        addlenstr( l, ": " );
+        addlenstr( l, newrdn );
+        addlenstr( l, "\n" );
+        addlenstr( l, attr_deleteoldrdn );
+        addlenstr( l, ": " );
+        addlenstr( l, flag ? "1" : "0" );
+        addlenstr( l, "\n" );
     }
     addlenstr( l, "\n" );
 
-    slapd_log_audit_proc (l->ls_buf, l->ls_len);
+    switch (logtype)
+    {
+    case SLAPD_AUDIT_LOG:
+        slapd_log_audit_proc (l->ls_buf, l->ls_len);
+        break;
+    case SLAPD_AUDITFAIL_LOG:
+        slapd_log_auditfail_proc (l->ls_buf, l->ls_len);
+        break;
+    default:
+        /* Unsupported log type, we should make some noise */
+        LDAPDebug1Arg(LDAP_DEBUG_ANY, "write_audit_log: Invalid log type specified. logtype %d\n", logtype);
+        break;
+    }
 
     lenstr_free( &l );
 }
@@ -230,11 +318,23 @@ write_audit_file(
 void
 auditlog_hide_unhashed_pw()
 {
-	hide_unhashed_pw = 1;
+	audit_hide_unhashed_pw = 1;
 }
 
 void
 auditlog_expose_unhashed_pw()
 {
-	hide_unhashed_pw = 0;
+	audit_hide_unhashed_pw = 0;
+}
+
+void
+auditfaillog_hide_unhashed_pw()
+{
+	auditfail_hide_unhashed_pw = 1;
+}
+
+void
+auditfaillog_expose_unhashed_pw()
+{
+	auditfail_hide_unhashed_pw = 0;
 }

ldap/servers/slapd/daemon.c

@@ -357,6 +357,7 @@ disk_mon_get_dirs(char ***list, int logs_critical){
     disk_mon_add_dir(list, config->accesslog);
     disk_mon_add_dir(list, config->errorlog);
     disk_mon_add_dir(list, config->auditlog);
+    disk_mon_add_dir(list, config->auditfaillog);
     CFG_UNLOCK_READ(config);
 
     be = slapi_get_first_backend (&cookie);
@@ -456,6 +457,7 @@ disk_monitoring_thread(void *nothing)
     int verbose_logging = 0;
     int using_accesslog = 0;
     int using_auditlog = 0;
+    int using_auditfaillog = 0;
     int logs_disabled = 0;
     int grace_period = 0;
     int first_pass = 1;
@@ -488,6 +490,9 @@ disk_monitoring_thread(void *nothing)
         if(config_get_auditlog_logging_enabled()){
             using_auditlog = 1;
         }
+        if(config_get_auditfaillog_logging_enabled()){
+            using_auditfaillog = 1;
+        }
         if(config_get_accesslog_logging_enabled()){
             using_accesslog = 1;
         }
@@ -513,6 +518,9 @@ disk_monitoring_thread(void *nothing)
                     if(using_auditlog){
                         config_set_auditlog_enabled(LOGGING_ON);
                     }
+                    if(using_auditfaillog){
+                        config_set_auditfaillog_enabled(LOGGING_ON);
+                    }
                 } else {
                 	LDAPDebug(LDAP_DEBUG_ANY, "Disk space is now within acceptable levels.\n",0,0,0);
                 }
@@ -557,6 +565,7 @@ disk_monitoring_thread(void *nothing)
                 "disabling access and audit logging.\n", dirstr, (disk_space / 1024), 0);
             config_set_accesslog_enabled(LOGGING_OFF);
             config_set_auditlog_enabled(LOGGING_OFF);
+            config_set_auditfaillog_enabled(LOGGING_OFF);
             logs_disabled = 1;
             continue;
         }
@@ -617,6 +626,9 @@ disk_monitoring_thread(void *nothing)
                     if(logs_disabled && using_auditlog){
                         config_set_auditlog_enabled(LOGGING_ON);
                     }
+                    if(logs_disabled && using_auditfaillog){
+                        config_set_auditfaillog_enabled(LOGGING_ON);
+                    }
                     deleted_rotated_logs = 0;
                     passed_threshold = 0;
                     logs_disabled = 0;

ldap/servers/slapd/delete.c

@@ -351,6 +351,11 @@ static void op_shared_delete (Slapi_PBlock *pb)
 					operation_out_of_disk_space();
 					goto free_and_return;
 				}
+				/* If the disk is full we don't want to make it worse ... */
+				if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_AUDIT))
+				{ 
+					write_auditfail_log_entry(pb); /* Record the operation in the audit log */
+				}
 			}
 		}
 

ldap/servers/slapd/libglobs.c

@@ -152,12 +152,15 @@ static int invalid_sasl_mech(char *str);
 #define INIT_ACCESSLOG_MODE "600"
 #define INIT_ERRORLOG_MODE "600"
 #define INIT_AUDITLOG_MODE "600"
+#define INIT_AUDITFAILLOG_MODE "600"
 #define INIT_ACCESSLOG_ROTATIONUNIT "day"
 #define INIT_ERRORLOG_ROTATIONUNIT "week"
 #define INIT_AUDITLOG_ROTATIONUNIT "week"
+#define INIT_AUDITFAILLOG_ROTATIONUNIT "week"
 #define INIT_ACCESSLOG_EXPTIMEUNIT "month"
 #define INIT_ERRORLOG_EXPTIMEUNIT "month"
 #define INIT_AUDITLOG_EXPTIMEUNIT "month"
+#define INIT_AUDITFAILLOG_EXPTIMEUNIT "month"
 #define DEFAULT_DIRECTORY_MANAGER "cn=Directory Manager"
 #define DEFAULT_UIDNUM_TYPE "uidNumber"
 #define DEFAULT_GIDNUM_TYPE "gidNumber"
@@ -171,11 +174,14 @@ static int invalid_sasl_mech(char *str);
 slapi_onoff_t init_accesslog_rotationsync_enabled;
 slapi_onoff_t init_errorlog_rotationsync_enabled;
 slapi_onoff_t init_auditlog_rotationsync_enabled;
+slapi_onoff_t init_auditfaillog_rotationsync_enabled;
 slapi_onoff_t init_accesslog_logging_enabled;
 slapi_onoff_t init_accesslogbuffering;
 slapi_onoff_t init_errorlog_logging_enabled;
 slapi_onoff_t init_auditlog_logging_enabled;
 slapi_onoff_t init_auditlog_logging_hide_unhashed_pw;
+slapi_onoff_t init_auditfaillog_logging_enabled;
+slapi_onoff_t init_auditfaillog_logging_hide_unhashed_pw;
 slapi_onoff_t init_csnlogging;
 slapi_onoff_t init_pw_unlock;
 slapi_onoff_t init_pw_must_change;
@@ -1105,8 +1111,73 @@ static struct config_get_and_set {
 		NULL, 0,
 		(void**)&global_slapdFrontendConfig.mempool_maxfreelist,
 		CONFIG_INT, (ConfigGetFunc)config_get_mempool_maxfreelist,
-		DEFAULT_MEMPOOL_MAXFREELIST}
+		DEFAULT_MEMPOOL_MAXFREELIST},
 #endif /* MEMPOOL_EXPERIMENTAL */
+    /* Audit fail log configuration */
+	{CONFIG_AUDITFAILLOG_MODE_ATTRIBUTE, NULL,
+		log_set_mode, SLAPD_AUDITFAIL_LOG,
+		(void**)&global_slapdFrontendConfig.auditfaillog_mode,
+		CONFIG_STRING, NULL, INIT_AUDITFAILLOG_MODE},
+	{CONFIG_AUDITFAILLOG_LOGROTATIONSYNCENABLED_ATTRIBUTE, NULL,
+		log_set_rotationsync_enabled, SLAPD_AUDITFAIL_LOG,
+		(void**)&global_slapdFrontendConfig.auditfaillog_rotationsync_enabled,
+		CONFIG_ON_OFF, NULL, &init_auditfaillog_rotationsync_enabled},
+	{CONFIG_AUDITFAILLOG_LOGROTATIONSYNCHOUR_ATTRIBUTE, NULL,
+		log_set_rotationsynchour, SLAPD_AUDITFAIL_LOG,
+		(void**)&global_slapdFrontendConfig.auditfaillog_rotationsynchour,
+		CONFIG_INT, NULL, DEFAULT_LOG_ROTATIONSYNCHOUR},
+	{CONFIG_AUDITFAILLOG_LOGROTATIONSYNCMIN_ATTRIBUTE, NULL,
+		log_set_rotationsyncmin, SLAPD_AUDITFAIL_LOG,
+		(void**)&global_slapdFrontendConfig.auditfaillog_rotationsyncmin,
+		CONFIG_INT, NULL, DEFAULT_LOG_ROTATIONSYNCMIN},
+	{CONFIG_AUDITFAILLOG_LOGROTATIONTIME_ATTRIBUTE, NULL,
+		log_set_rotationtime, SLAPD_AUDITFAIL_LOG,
+		(void**)&global_slapdFrontendConfig.auditfaillog_rotationtime,
+		CONFIG_INT, NULL, DEFAULT_LOG_ROTATIONTIME},
+	{CONFIG_AUDITFAILLOG_MAXLOGDISKSPACE_ATTRIBUTE, NULL,
+		log_set_maxdiskspace, SLAPD_AUDITFAIL_LOG,
+		(void**)&global_slapdFrontendConfig.auditfaillog_maxdiskspace,
+		CONFIG_INT, NULL, DEFAULT_LOG_MAXDISKSPACE},
+	{CONFIG_AUDITFAILLOG_MAXLOGSIZE_ATTRIBUTE, NULL,
+		log_set_logsize, SLAPD_AUDITFAIL_LOG,
+		(void**)&global_slapdFrontendConfig.auditfaillog_maxlogsize,
+		CONFIG_INT, NULL, DEFAULT_LOG_MAXLOGSIZE},
+	{CONFIG_AUDITFAILLOG_LOGEXPIRATIONTIME_ATTRIBUTE, NULL,
+		log_set_expirationtime, SLAPD_AUDITFAIL_LOG,
+		(void**)&global_slapdFrontendConfig.auditfaillog_exptime,
+		CONFIG_INT, NULL, DEFAULT_LOG_EXPTIME},
+	{CONFIG_AUDITFAILLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE, NULL,
+		log_set_numlogsperdir, SLAPD_AUDITFAIL_LOG,
+		(void**)&global_slapdFrontendConfig.auditfaillog_maxnumlogs,
+		CONFIG_INT, NULL, DEFAULT_LOG_MAXNUMLOGS},
+	{CONFIG_AUDITFAILLOG_LIST_ATTRIBUTE, NULL,
+		NULL, 0, NULL,
+		CONFIG_CHARRAY, (ConfigGetFunc)config_get_auditfaillog_list, NULL},
+	{CONFIG_AUDITFAILLOG_LOGGING_ENABLED_ATTRIBUTE, NULL,
+		log_set_logging, SLAPD_AUDITFAIL_LOG,
+		(void**)&global_slapdFrontendConfig.auditfaillog_logging_enabled,
+		CONFIG_ON_OFF, NULL, &init_auditfaillog_logging_enabled},
+	{CONFIG_AUDITFAILLOG_LOGGING_HIDE_UNHASHED_PW, config_set_auditfaillog_unhashed_pw,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.auditfaillog_logging_hide_unhashed_pw,
+		CONFIG_ON_OFF, NULL, &init_auditfaillog_logging_hide_unhashed_pw},
+	{CONFIG_AUDITFAILLOG_LOGEXPIRATIONTIMEUNIT_ATTRIBUTE, NULL,
+		log_set_expirationtimeunit, SLAPD_AUDITFAIL_LOG,
+		(void**)&global_slapdFrontendConfig.auditfaillog_exptimeunit,
+		CONFIG_STRING_OR_UNKNOWN, NULL, INIT_AUDITFAILLOG_EXPTIMEUNIT},
+	{CONFIG_AUDITFAILLOG_MINFREEDISKSPACE_ATTRIBUTE, NULL,
+		log_set_mindiskspace, SLAPD_AUDITFAIL_LOG,
+		(void**)&global_slapdFrontendConfig.auditfaillog_minfreespace,
+		CONFIG_INT, NULL, DEFAULT_LOG_MINFREESPACE},
+	{CONFIG_AUDITFAILLOG_LOGROTATIONTIMEUNIT_ATTRIBUTE, NULL,
+		log_set_rotationtimeunit, SLAPD_AUDITFAIL_LOG,
+		(void**)&global_slapdFrontendConfig.auditfaillog_rotationunit,
+		CONFIG_STRING_OR_UNKNOWN, NULL, INIT_AUDITFAILLOG_ROTATIONUNIT},
+	{CONFIG_AUDITFAILFILE_ATTRIBUTE, config_set_auditfaillog,
+		NULL, 0,
+		(void**)&global_slapdFrontendConfig.auditfaillog,
+		CONFIG_STRING_OR_EMPTY, NULL, NULL/* deletion is not allowed */}
+    /* End audit fail log configuration */
 };
 
 /*
@@ -1513,6 +1584,23 @@ FrontendConfig_init () {
   init_auditlog_logging_hide_unhashed_pw = 
     cfg->auditlog_logging_hide_unhashed_pw = LDAP_ON;
 
+  init_auditfaillog_logging_enabled = cfg->auditfaillog_logging_enabled = LDAP_OFF;
+  cfg->auditfaillog_mode = slapi_ch_strdup(INIT_AUDITFAILLOG_MODE);
+  cfg->auditfaillog_maxnumlogs = 1;
+  cfg->auditfaillog_maxlogsize = 100;
+  cfg->auditfaillog_rotationtime = 1;
+  cfg->auditfaillog_rotationunit = slapi_ch_strdup(INIT_AUDITFAILLOG_ROTATIONUNIT);
+  init_auditfaillog_rotationsync_enabled =
+    cfg->auditfaillog_rotationsync_enabled = LDAP_OFF;
+  cfg->auditfaillog_rotationsynchour = 0;
+  cfg->auditfaillog_rotationsyncmin = 0;
+  cfg->auditfaillog_maxdiskspace = 100;
+  cfg->auditfaillog_minfreespace = 5;
+  cfg->auditfaillog_exptime = 1;
+  cfg->auditfaillog_exptimeunit = slapi_ch_strdup(INIT_AUDITFAILLOG_EXPTIMEUNIT);
+  init_auditfaillog_logging_hide_unhashed_pw = 
+    cfg->auditfaillog_logging_hide_unhashed_pw = LDAP_ON;
+
   init_entryusn_global = cfg->entryusn_global = LDAP_OFF; 
   cfg->entryusn_import_init = slapi_ch_strdup(ENTRYUSN_IMPORT_INIT); 
   cfg->allowed_to_delete_attrs = slapi_ch_strdup("passwordadmindn nsslapd-listenhost nsslapd-securelistenhost nsslapd-defaultnamingcontext");
@@ -1630,17 +1718,33 @@ get_entry_point( int ep_name, caddr_t *ep_addr )
 int
 config_set_auditlog_unhashed_pw(const char *attrname, char *value, char *errorbuf, int apply)
 {
-	slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-	int retVal = LDAP_SUCCESS;
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+    int retVal = LDAP_SUCCESS;
 
-	retVal = config_set_onoff ( attrname, value, &(slapdFrontendConfig->auditlog_logging_hide_unhashed_pw),
-								errorbuf, apply);
-	if(strcasecmp(value,"on") == 0){
-		auditlog_hide_unhashed_pw();
-	} else {
-		auditlog_expose_unhashed_pw();
-	}
-	return retVal;
+    retVal = config_set_onoff ( attrname, value, &(slapdFrontendConfig->auditlog_logging_hide_unhashed_pw),
+                                errorbuf, apply);
+    if(strcasecmp(value,"on") == 0){
+        auditlog_hide_unhashed_pw();
+    } else {
+        auditlog_expose_unhashed_pw();
+    }
+    return retVal;
+}
+
+int
+config_set_auditfaillog_unhashed_pw(const char *attrname, char *value, char *errorbuf, int apply)
+{
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+    int retVal = LDAP_SUCCESS;
+
+    retVal = config_set_onoff ( attrname, value, &(slapdFrontendConfig->auditfaillog_logging_hide_unhashed_pw),
+                                errorbuf, apply);
+    if(strcasecmp(value,"on") == 0){
+        auditfaillog_hide_unhashed_pw();
+    } else {
+        auditfaillog_expose_unhashed_pw();
+    }
+    return retVal;
 }
 
 /*
@@ -4157,6 +4261,31 @@ config_set_errorlog( const char *attrname, char *value, char *errorbuf, int appl
 
 int
 config_set_auditlog( const char *attrname, char *value, char *errorbuf, int apply ) {
+    int retVal = LDAP_SUCCESS;
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+    if ( config_value_is_null( attrname, value, errorbuf, 1 )) {
+        return LDAP_OPERATIONS_ERROR;
+    }
+
+    retVal = log_update_auditlogdir ( value, apply );
+
+    if ( retVal != LDAP_SUCCESS ) {
+        PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, 
+                      "Cannot open auditlog directory \"%s\"", value );
+    }
+
+    if ( apply ) {
+        CFG_LOCK_WRITE(slapdFrontendConfig);
+        slapi_ch_free ( (void **) &(slapdFrontendConfig->auditlog) );
+        slapdFrontendConfig->auditlog = slapi_ch_strdup ( value );
+        CFG_UNLOCK_WRITE(slapdFrontendConfig);
+    }
+    return retVal;
+}
+
+int
+config_set_auditfaillog( const char *attrname, char *value, char *errorbuf, int apply ) {
   int retVal = LDAP_SUCCESS;
   slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
 
@@ -4164,17 +4293,17 @@ config_set_auditlog( const char *attrname, char *value, char *errorbuf, int appl
 	return LDAP_OPERATIONS_ERROR;
   }
   
-  retVal = log_update_auditlogdir ( value, apply );
+  retVal = log_update_auditfaillogdir ( value, apply );
   
   if ( retVal != LDAP_SUCCESS ) {
 	PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, 
-			"Cannot open auditlog directory \"%s\"", value );
+			"Cannot open auditfaillog directory \"%s\"", value );
   }
   
   if ( apply ) {
 	CFG_LOCK_WRITE(slapdFrontendConfig);
-	slapi_ch_free ( (void **) &(slapdFrontendConfig->auditlog) );
-	slapdFrontendConfig->auditlog = slapi_ch_strdup ( value );
+	slapi_ch_free ( (void **) &(slapdFrontendConfig->auditfaillog) );
+	slapdFrontendConfig->auditfaillog = slapi_ch_strdup ( value );
 	CFG_UNLOCK_WRITE(slapdFrontendConfig);
   }
   return retVal;
@@ -5514,6 +5643,18 @@ config_get_auditlog(  ){
   return retVal; 
 }
 
+char *
+config_get_auditfaillog(  ){
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+    char *retVal;
+
+    CFG_LOCK_READ(slapdFrontendConfig);
+    retVal = config_copy_strval(slapdFrontendConfig->auditfaillog);
+    CFG_UNLOCK_READ(slapdFrontendConfig);
+
+    return retVal;
+}
+
 long
 config_get_pw_maxage() {
   slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
@@ -5588,6 +5729,16 @@ config_get_auditlog_logging_enabled(){
   return retVal;
 }
 
+int
+config_get_auditfaillog_logging_enabled(){
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+    int retVal;
+
+    retVal = (int)slapdFrontendConfig->auditfaillog_logging_enabled;
+
+    return retVal;
+}
+
 int
 config_get_accesslog_logging_enabled(){
     slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
@@ -6428,6 +6579,12 @@ config_get_auditlog_list()
 	return log_get_loglist(SLAPD_AUDIT_LOG);
 }
 
+char **
+config_get_auditfaillog_list()
+{
+    return log_get_loglist(SLAPD_AUDITFAIL_LOG);
+}
+
 int
 config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply)
 {
@@ -7771,6 +7928,21 @@ config_set_auditlog_enabled(int value){
     CFG_ONOFF_UNLOCK_WRITE(slapdFrontendConfig);
 }
 
+void
+config_set_auditfaillog_enabled(int value){
+    slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+    char errorbuf[BUFSIZ];
+
+    CFG_ONOFF_LOCK_WRITE(slapdFrontendConfig);
+    slapdFrontendConfig->auditfaillog_logging_enabled = (int)value;
+    if(value){
+        log_set_logging(CONFIG_AUDITFAILLOG_LOGGING_ENABLED_ATTRIBUTE, "on", SLAPD_AUDITFAIL_LOG, errorbuf, CONFIG_APPLY);
+    } else {
+        log_set_logging(CONFIG_AUDITFAILLOG_LOGGING_ENABLED_ATTRIBUTE, "off", SLAPD_AUDITFAIL_LOG, errorbuf, CONFIG_APPLY);
+    }
+    CFG_ONOFF_UNLOCK_WRITE(slapdFrontendConfig);
+}
+
 int
 config_set_maxsimplepaged_per_conn( const char *attrname, char *value, char *errorbuf, int apply )
 {

ldap/servers/slapd/log.h

@@ -176,6 +176,32 @@ struct logging_opts {
 	char		*log_auditinfo_file;	/* audit log rotation info file */
 	Slapi_RWLock		*log_audit_rwlock;	/* lock on audit*/
 
+    /* These are auditfail log specific */
+    int             log_auditfail_state;
+    int             log_auditfail_mode;         /* access mode */
+    int             log_auditfail_maxnumlogs;   /* Number of logs */
+    PRInt64         log_auditfail_maxlogsize;   /* max log size in bytes*/
+    int             log_auditfail_rotationtime; /* time in units. */
+    int             log_auditfail_rotationunit; /* time in units. */
+    int             log_auditfail_rotationtime_secs;    /* time in seconds */
+    int             log_auditfail_rotationsync_enabled;/* 0 or 1*/
+    int             log_auditfail_rotationsynchour; /* 0-23 */
+    int             log_auditfail_rotationsyncmin;  /* 0-59 */
+    time_t          log_auditfail_rotationsyncclock;    /* clock in seconds */
+    PRInt64         log_auditfail_maxdiskspace; /* space in bytes */
+    PRInt64         log_auditfail_minfreespace; /* free space in bytes */
+    int             log_auditfail_exptime;  /* time */
+    int             log_auditfail_exptimeunit;  /* unit time */
+    int             log_auditfail_exptime_secs; /* time in secs */
+
+    char            *log_auditfail_file;    /* auditfail log name */
+    LOGFD           log_auditfail_fdes;     /* auditfail log  fdes */
+    unsigned int    log_numof_auditfail_logs;   /* number of logs */
+    time_t          log_auditfail_ctime;    /* log creation time */
+    LogFileInfo     *log_auditfail_logchain;    /* all the logs info */
+    char            *log_auditfailinfo_file;    /* auditfail log rotation info file */
+    Slapi_RWLock    *log_auditfail_rwlock;  /* lock on auditfail */
+
 };
 
 /* For log_state */
@@ -197,3 +223,8 @@ struct logging_opts {
 #define LOG_AUDIT_LOCK_WRITE()   slapi_rwlock_wrlock(loginfo.log_audit_rwlock)
 #define LOG_AUDIT_UNLOCK_WRITE() slapi_rwlock_unlock(loginfo.log_audit_rwlock)
 
+#define LOG_AUDITFAIL_LOCK_READ()    slapi_rwlock_rdlock(loginfo.log_auditfail_rwlock)
+#define LOG_AUDITFAIL_UNLOCK_READ()  slapi_rwlock_unlock(loginfo.log_auditfail_rwlock)
+#define LOG_AUDITFAIL_LOCK_WRITE()   slapi_rwlock_wrlock(loginfo.log_auditfail_rwlock)
+#define LOG_AUDITFAIL_UNLOCK_WRITE() slapi_rwlock_unlock(loginfo.log_auditfail_rwlock)
+

ldap/servers/slapd/modify.c

@@ -1079,6 +1079,11 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 					operation_out_of_disk_space();
 					goto free_and_return;
 				}
+				/* If the disk is full we don't want to make it worse ... */
+				if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_AUDIT))
+				{ 
+					write_auditfail_log_entry(pb); /* Record the operation in the audit log */
+				}
 			}
 		}
 		else

ldap/servers/slapd/modrdn.c

@@ -641,6 +641,12 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args)
 				slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &ecopy);
 				/* GGOODREPL persistent search system needs the changenumber, oops. */
 				do_ps_service(pse, ecopy, LDAP_CHANGETYPE_MODDN, 0);
+			} else {
+				/* Should we also be doing a disk space check here? */
+				if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_AUDIT))
+				{ 
+					write_auditfail_log_entry(pb); /* Record the operation in the audit log */
+				}
 			}
 		}
 		else

ldap/servers/slapd/proto-slap.h

@@ -293,6 +293,7 @@ int config_set_timelimit(const char *attrname, char *value, char *errorbuf, int
 int config_set_errorlog_level(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_accesslog_level(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_auditlog(const char *attrname,  char *value, char *errorbuf, int apply );
+int config_set_auditfaillog(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_userat(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_accesslog(const char *attrname,  char *value, char *errorbuf, int apply );
 int config_set_errorlog(const char *attrname, char *value, char *errorbuf, int apply );
@@ -372,6 +373,7 @@ int config_set_disk_threshold( const char *attrname, char *value, char *errorbuf
 int config_set_disk_grace_period( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_disk_logging_critical( const char *attrname, char *value, char *errorbuf, int apply );
 int config_set_auditlog_unhashed_pw(const char *attrname, char *value, char *errorbuf, int apply);
+int config_set_auditfaillog_unhashed_pw(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_ndn_cache_enabled(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_ndn_cache_max_size(const char *attrname, char *value, char *errorbuf, int apply);
 int config_set_unhashed_pw_switch(const char *attrname, char *value, char *errorbuf, int apply); 
@@ -476,12 +478,14 @@ char* config_get_useroc();
 char *config_get_accesslog();
 char *config_get_errorlog();
 char *config_get_auditlog();
+char *config_get_auditfaillog();
 long config_get_pw_maxage();
 long config_get_pw_minage();
 long config_get_pw_warning();
 int config_get_errorlog_level();
 int config_get_accesslog_level();
 int config_get_auditlog_logging_enabled();
+int config_get_auditfaillog_logging_enabled();
 char *config_get_referral_mode(void);
 int config_get_conntablesize(void);
 int config_check_referral_mode(void);
@@ -503,6 +507,7 @@ char *config_get_saslpath();
 char **config_get_errorlog_list();
 char **config_get_accesslog_list();
 char **config_get_auditlog_list();
+char **config_get_auditfaillog_list();
 int config_get_attrname_exceptions();
 int config_get_hash_filters();
 int config_get_rewrite_rfc1274();
@@ -529,6 +534,7 @@ char *config_get_default_naming_context(void);
 int config_allowed_to_delete_attrs(const char *attr_type);
 void config_set_accesslog_enabled(int value);
 void config_set_auditlog_enabled(int value);
+void config_set_auditfaillog_enabled(int value);
 int config_get_accesslog_logging_enabled();
 int config_get_disk_monitoring();
 PRInt64 config_get_disk_threshold();
@@ -743,18 +749,21 @@ int slapi_log_access( int level, char *fmt, ... )
         ;
 #endif
 int slapd_log_audit_proc(char *buffer, int buf_len);
+int slapd_log_auditfail_proc(char *buffer, int buf_len);
 void log_access_flush();
 
 
 int access_log_openf( char *pathname, int locked);
 int error_log_openf( char *pathname, int locked);
 int audit_log_openf( char *pathname, int locked);
+int auditfail_log_openf( char *pathname, int locked);
 
 void g_set_detached(int);
 void g_log_init(int log_enabled);
 char *g_get_access_log();
 char *g_get_error_log();
 char *g_get_audit_log();
+char *g_get_auditfail_log();
 void g_set_accesslog_level(int val);
 
 int log_set_mode(const char *attrname, char *mode_str, int logtype, char *errorbuf, int apply);
@@ -773,6 +782,7 @@ char **log_get_loglist(int logtype);
 int  log_update_accesslogdir(char *pathname, int apply);
 int  log_update_errorlogdir(char *pathname, int apply);
 int  log_update_auditlogdir(char *pathname, int apply);
+int  log_update_auditfaillogdir(char *pathname, int apply);
 int  log_set_logging (const char *attrname, char *value, int logtype, char *errorbuf, int apply);
 int check_log_max_size(
                     char *maxdiskspace_str,
@@ -1245,6 +1255,10 @@ void write_audit_log_entry( Slapi_PBlock *pb);
 void auditlog_hide_unhashed_pw();
 void auditlog_expose_unhashed_pw();
 
+void write_auditfail_log_entry( Slapi_PBlock *pb);
+void auditfaillog_hide_unhashed_pw();
+void auditfaillog_expose_unhashed_pw();
+
 /*
  * eventq.c
  */

ldap/servers/slapd/slap.h

@@ -1883,6 +1883,7 @@ typedef struct _slapdEntryPoints {
 #define SLAPD_ACCESS_LOG 0x1
 #define SLAPD_ERROR_LOG  0x2
 #define SLAPD_AUDIT_LOG  0x4
+#define SLAPD_AUDITFAIL_LOG  0x8
 
 #define CONFIG_DATABASE_ATTRIBUTE       "nsslapd-database"
 #define CONFIG_PLUGIN_ATTRIBUTE         "nsslapd-plugin"
@@ -1907,48 +1908,63 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_ACCESSLOG_MODE_ATTRIBUTE	"nsslapd-accesslog-mode"
 #define CONFIG_ERRORLOG_MODE_ATTRIBUTE	"nsslapd-errorlog-mode"
 #define CONFIG_AUDITLOG_MODE_ATTRIBUTE	"nsslapd-auditlog-mode"
+#define CONFIG_AUDITFAILLOG_MODE_ATTRIBUTE	"nsslapd-auditfaillog-mode"
 #define CONFIG_ACCESSLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE "nsslapd-accesslog-maxlogsperdir"
 #define CONFIG_ERRORLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE  "nsslapd-errorlog-maxlogsperdir"
 #define CONFIG_AUDITLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE  "nsslapd-auditlog-maxlogsperdir"
+#define CONFIG_AUDITFAILLOG_MAXNUMOFLOGSPERDIR_ATTRIBUTE  "nsslapd-auditfaillog-maxlogsperdir"
 #define CONFIG_ACCESSLOG_MAXLOGSIZE_ATTRIBUTE "nsslapd-accesslog-maxlogsize"
 #define CONFIG_ERRORLOG_MAXLOGSIZE_ATTRIBUTE "nsslapd-errorlog-maxlogsize"
 #define CONFIG_AUDITLOG_MAXLOGSIZE_ATTRIBUTE "nsslapd-auditlog-maxlogsize"
+#define CONFIG_AUDITFAILLOG_MAXLOGSIZE_ATTRIBUTE "nsslapd-auditfaillog-maxlogsize"
 #define CONFIG_ACCESSLOG_LOGROTATIONSYNCENABLED_ATTRIBUTE "nsslapd-accesslog-logrotationsync-enabled"
 #define CONFIG_ERRORLOG_LOGROTATIONSYNCENABLED_ATTRIBUTE "nsslapd-errorlog-logrotationsync-enabled"
 #define CONFIG_AUDITLOG_LOGROTATIONSYNCENABLED_ATTRIBUTE "nsslapd-auditlog-logrotationsync-enabled"
+#define CONFIG_AUDITFAILLOG_LOGROTATIONSYNCENABLED_ATTRIBUTE "nsslapd-auditfaillog-logrotationsync-enabled"
 #define CONFIG_ACCESSLOG_LOGROTATIONSYNCHOUR_ATTRIBUTE "nsslapd-accesslog-logrotationsynchour"
 #define CONFIG_ERRORLOG_LOGROTATIONSYNCHOUR_ATTRIBUTE "nsslapd-errorlog-logrotationsynchour"
 #define CONFIG_AUDITLOG_LOGROTATIONSYNCHOUR_ATTRIBUTE "nsslapd-auditlog-logrotationsynchour"
+#define CONFIG_AUDITFAILLOG_LOGROTATIONSYNCHOUR_ATTRIBUTE "nsslapd-auditfaillog-logrotationsynchour"
 #define CONFIG_ACCESSLOG_LOGROTATIONSYNCMIN_ATTRIBUTE "nsslapd-accesslog-logrotationsyncmin"
 #define CONFIG_ERRORLOG_LOGROTATIONSYNCMIN_ATTRIBUTE "nsslapd-errorlog-logrotationsyncmin"
 #define CONFIG_AUDITLOG_LOGROTATIONSYNCMIN_ATTRIBUTE "nsslapd-auditlog-logrotationsyncmin"
+#define CONFIG_AUDITFAILLOG_LOGROTATIONSYNCMIN_ATTRIBUTE "nsslapd-auditfaillog-logrotationsyncmin"
 #define CONFIG_ACCESSLOG_LOGROTATIONTIME_ATTRIBUTE "nsslapd-accesslog-logrotationtime"
 #define CONFIG_ERRORLOG_LOGROTATIONTIME_ATTRIBUTE "nsslapd-errorlog-logrotationtime"
 #define CONFIG_AUDITLOG_LOGROTATIONTIME_ATTRIBUTE "nsslapd-auditlog-logrotationtime"
+#define CONFIG_AUDITFAILLOG_LOGROTATIONTIME_ATTRIBUTE "nsslapd-auditfaillog-logrotationtime"
 #define CONFIG_ACCESSLOG_LOGROTATIONTIMEUNIT_ATTRIBUTE "nsslapd-accesslog-logrotationtimeunit"
 #define CONFIG_ERRORLOG_LOGROTATIONTIMEUNIT_ATTRIBUTE "nsslapd-errorlog-logrotationtimeunit"
 #define CONFIG_AUDITLOG_LOGROTATIONTIMEUNIT_ATTRIBUTE "nsslapd-auditlog-logrotationtimeunit"
+#define CONFIG_AUDITFAILLOG_LOGROTATIONTIMEUNIT_ATTRIBUTE "nsslapd-auditfaillog-logrotationtimeunit"
 #define CONFIG_ACCESSLOG_MAXLOGDISKSPACE_ATTRIBUTE "nsslapd-accesslog-logmaxdiskspace"
 #define CONFIG_ERRORLOG_MAXLOGDISKSPACE_ATTRIBUTE "nsslapd-errorlog-logmaxdiskspace"
 #define CONFIG_AUDITLOG_MAXLOGDISKSPACE_ATTRIBUTE "nsslapd-auditlog-logmaxdiskspace"
+#define CONFIG_AUDITFAILLOG_MAXLOGDISKSPACE_ATTRIBUTE "nsslapd-auditfaillog-logmaxdiskspace"
 #define CONFIG_ACCESSLOG_MINFREEDISKSPACE_ATTRIBUTE "nsslapd-accesslog-logminfreediskspace"
 #define CONFIG_ERRORLOG_MINFREEDISKSPACE_ATTRIBUTE "nsslapd-errorlog-logminfreediskspace"
 #define CONFIG_AUDITLOG_MINFREEDISKSPACE_ATTRIBUTE "nsslapd-auditlog-logminfreediskspace"
+#define CONFIG_AUDITFAILLOG_MINFREEDISKSPACE_ATTRIBUTE "nsslapd-auditfaillog-logminfreediskspace"
 #define CONFIG_ACCESSLOG_LOGEXPIRATIONTIME_ATTRIBUTE "nsslapd-accesslog-logexpirationtime"
 #define CONFIG_ERRORLOG_LOGEXPIRATIONTIME_ATTRIBUTE "nsslapd-errorlog-logexpirationtime"
 #define CONFIG_AUDITLOG_LOGEXPIRATIONTIME_ATTRIBUTE "nsslapd-auditlog-logexpirationtime"
+#define CONFIG_AUDITFAILLOG_LOGEXPIRATIONTIME_ATTRIBUTE "nsslapd-auditfaillog-logexpirationtime"
 #define CONFIG_ACCESSLOG_LOGEXPIRATIONTIMEUNIT_ATTRIBUTE "nsslapd-accesslog-logexpirationtimeunit"
 #define CONFIG_ERRORLOG_LOGEXPIRATIONTIMEUNIT_ATTRIBUTE "nsslapd-errorlog-logexpirationtimeunit"
 #define CONFIG_AUDITLOG_LOGEXPIRATIONTIMEUNIT_ATTRIBUTE "nsslapd-auditlog-logexpirationtimeunit"
+#define CONFIG_AUDITFAILLOG_LOGEXPIRATIONTIMEUNIT_ATTRIBUTE "nsslapd-auditfaillog-logexpirationtimeunit"
 #define CONFIG_ACCESSLOG_LOGGING_ENABLED_ATTRIBUTE "nsslapd-accesslog-logging-enabled"
 #define CONFIG_ERRORLOG_LOGGING_ENABLED_ATTRIBUTE "nsslapd-errorlog-logging-enabled"
 #define CONFIG_AUDITLOG_LOGGING_ENABLED_ATTRIBUTE "nsslapd-auditlog-logging-enabled"
+#define CONFIG_AUDITFAILLOG_LOGGING_ENABLED_ATTRIBUTE "nsslapd-auditfaillog-logging-enabled"
 #define CONFIG_AUDITLOG_LOGGING_HIDE_UNHASHED_PW "nsslapd-auditlog-logging-hide-unhashed-pw"
+#define CONFIG_AUDITFAILLOG_LOGGING_HIDE_UNHASHED_PW "nsslapd-auditfaillog-logging-hide-unhashed-pw"
 #define CONFIG_UNHASHED_PW_SWITCH_ATTRIBUTE "nsslapd-unhashed-pw-switch"
 #define CONFIG_ROOTDN_ATTRIBUTE "nsslapd-rootdn"
 #define CONFIG_ROOTPW_ATTRIBUTE "nsslapd-rootpw"
 #define CONFIG_ROOTPWSTORAGESCHEME_ATTRIBUTE "nsslapd-rootpwstoragescheme"
 #define CONFIG_AUDITFILE_ATTRIBUTE "nsslapd-auditlog"
+#define CONFIG_AUDITFAILFILE_ATTRIBUTE "nsslapd-auditfaillog"
 #define CONFIG_LASTMOD_ATTRIBUTE   "nsslapd-lastmod"
 #define CONFIG_INCLUDE_ATTRIBUTE   "nsslapd-include"
 #define CONFIG_DYNAMICCONF_ATTRIBUTE "nsslapd-dynamicconf"
@@ -2042,6 +2058,7 @@ typedef struct _slapdEntryPoints {
 #define CONFIG_ACCESSLOG_LIST_ATTRIBUTE "nsslapd-accesslog-list"
 #define CONFIG_ERRORLOG_LIST_ATTRIBUTE "nsslapd-errorlog-list"
 #define CONFIG_AUDITLOG_LIST_ATTRIBUTE "nsslapd-auditlog-list"
+#define CONFIG_AUDITFAILLOG_LIST_ATTRIBUTE "nsslapd-auditfaillog-list"
 #define CONFIG_REWRITE_RFC1274_ATTRIBUTE "nsslapd-rewrite-rfc1274"
 #define CONFIG_PLUGIN_BINDDN_TRACKING_ATTRIBUTE "nsslapd-plugin-binddn-tracking"
 #define CONFIG_MODDN_ACI_ATTRIBUTE "nsslapd-moddn-aci"
@@ -2265,6 +2282,24 @@ typedef struct _slapdFrontendConfig {
   char *auditlog_exptimeunit;
   slapi_onoff_t auditlog_logging_hide_unhashed_pw;
 
+  /* AUDIT FAIL LOG */
+  char *auditfaillog;
+  int  auditfailloglevel;
+  slapi_onoff_t auditfaillog_logging_enabled;
+  char *auditfaillog_mode;
+  int  auditfaillog_maxnumlogs;
+  int  auditfaillog_maxlogsize;
+  slapi_onoff_t auditfaillog_rotationsync_enabled;
+  int  auditfaillog_rotationsynchour;
+  int  auditfaillog_rotationsyncmin;
+  int  auditfaillog_rotationtime;
+  char *auditfaillog_rotationunit;
+  int  auditfaillog_maxdiskspace;
+  int  auditfaillog_minfreespace;
+  int  auditfaillog_exptime;
+  char *auditfaillog_exptimeunit;
+  slapi_onoff_t auditfaillog_logging_hide_unhashed_pw;
+
   slapi_onoff_t return_exact_case;	/* Return attribute names with the same case
                                        as they appear in at.conf */