12.2 Auditing a System

Auditing a system with the License Auditing Tool involves the following steps, each of which is described in its own section. After the tool is loaded, the process is identical across all the License Auditing Tool supported platforms.

12.2.1 Setting the Parameters of an Audit

  1. Open the License Auditing Tool by launching idmlat, which is a .bat file for Windows and a script file for Linux/UNIX. The following figure shows the License Auditing Tool user interface.

    License Auditing Tool interface

  2. Click Add to select a server to audit.

    Adding LDAP server parameters to the License Auditing Tool

  3. Provide the required information about the target LDAP server, then click OK.

    LDAP Server Name or IP Address: Specify the LDAP server to which the License Auditing Tool connects in order to audit a directory tree.

    LDAP Search Base: Specify the directory container in which the License Auditing Tool performs the audit.

    Use a valid LDAP DN (for example ou=dirxml,o=provo). Specify <none>, or leave this field blank, to start the audit from the root of the tree.

    LDAP Port: Specify the port that the License Auditing Tool uses to locate LDAP services on the specified server.

    Port 389 is the default LDAP port, and port 636 is the default port for secure LDAP access (via SSL.) However, because the Identity Vault’s LDAP ports are configurable, make sure you use valid ports for the specified server.

    LDAP User ID: Specify the user ID that the License Auditing Tool uses to connect to the LDAP server.

    If you are connecting via SSL, you must specify this parameter.

    Make sure that the User ID you specify has access to all objects in the tree. You can specify anonymous for this value, but it might not have enough rights to see all the objects for the audit.

    User Password: Specify the user password that the License Auditing Tool uses to connect to the LDAP server.

    This is the password for the user specified in the LDAP User ID field. If you specified anonymous for the LDAP User ID, don’t enter a value here.

    Use SSL: Select this option to specify that the License Auditing Tool should use SSL when connecting to the LDAP server. This causes the License Auditing Tool to attempt an SSL bind over the port specified in the LDAP Port field.

    Trust eDir Server: Select this option to specify that the License Auditing Tool can trust the specified eDirectory server.

    The License Auditing Tool uses a special feature of the Novell LDAP SDK that informs the LDAP SSL client that the License Auditing Tool already trusts the LDAP server. This means that, when using SSL, the License Auditing Tool doesn’t need a copy of the server’s certificate.

    Because of the context in which License Auditing Tool is used, this is a valid approach, and allows the License Auditing Tool to use SSL without forcing the user to obtain a copy of the server’s certificate and also configures the License Auditing Tool to trust the server’s certificate.

  4. (Optional) Repeat Step 2 and Step 3 as needed to add other LDAP servers on which you want to perform an audit.

12.2.2 Scheduling an Audit

After you provide the required LDAP parameters, you can run the audit immediately by clicking the Audit button. Alternatively, click Schedule to configure the audit to run on a specific date and time. Because a tree audit can take quite awhile, depending on the size of the tree, you should schedule the audit to run during off hours if possible.

To schedule an audit, complete the following steps. When you schedule an audit, the License Auditing Tool’s interface is locked.

  1. In the License Auditing Tool, click Schedule.

    You must have at least one LDAP server configured in order to schedule an audit.

    Scheduling an audit

  2. Specify the required scheduling information and click OK.

    Start on: Specify the date and time to start the audit.

    Specify the date and time in the format shown. Alternatively, select one of the numbers in the field and use the arrows on the right side of the field to increase or decrease that value.

    Password: Specify a password for this audit.

    The password you enter here becomes the key to unlock the Auditing Tool.

When you schedule an audit, the License Auditing Tool’s interface locks to prevent anyone tampering with the audit parameters or results. If you need to unlock the interface to modify audit schedule or parameters, see Unlocking the License Auditing Tool."

12.2.3 Unlocking the License Auditing Tool

When you schedule an audit, the License Auditing Tool’s interface locks to prevent anyone tampering with the audit parameters or results. To unlock the License Auditing Tool interface to modify the audit schedule or parameters, you must use the password you specified when you scheduled the audit.

Unlocking the License Auditing Tool interface prior to a scheduled audit terminates the currently scheduled audit.

  1. In the License Auditing Tool, click Unlock.

    Unlocking a previously scheduled audit

  2. Enter the audit password and click OK.

12.2.4 Saving Audit Results

As the License Auditing Tool performs an audit, it displays results in the Audit Status window. Additionally, a complete audit report displays in the text window at the bottom of the License Auditing Tool interface. You can review the audit results using these two windows. Because of the potential length of the report, the License Auditing Tool also saves the audit data to a series of text files.

treename-summary.log: Contains the complete audit report.

treename-logindisabled.log: (Optional) Contains a list of DNS object names that are login disabled.

treename-inactiveusers.log: (Optional) Contains a list of DNS object names that haven’t authenticated in over a year.