I am encrypting attributes so sensitive data is encyrpted at rest. Found out that the audit log doesn't encrypt these attributes. It encrypts userpassword, but not these. Is there a setting or configuration I can extend that will encrypt these attributes in the audit file?
And if there is, what happens if I need to expand the list of encrypted attributes.
I am currently running v 6.3.x, and in process of upgrading to ODSEE 11g.x
as far as I can understand, I'm afraid that what you're trying to accomplish is not possible, since attribute encryption is something that happens 'within the Directory Server instance, between the protocol and the DB'... so the informations are sent in clear over the protocol, and this is what the audit log captures. According to the official product documentation:
"Attribute encryption protects sensitive data while it is stored in the directory. Attribute encryption allows you to specify that certain attributes of an entry are stored in an encrypted format. This prevents data from being readable while stored in database files, backup files, and exported LDIF files.
With this feature, attribute values are encrypted before they are stored in the Directory Server database, and decrypted back to their original value before being returned to the client. You must use access controls to prevent clients from accessing such attributes without permission, and SSL to encrypt the attribute values when in transit between the client and Directory Server."