[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bind DN not logged with GSSAPI binds (ITS#2283)

To: openldap-its@OpenLDAP.org
Subject: Re: Bind DN not logged with GSSAPI binds (ITS#2283)
From: Kurt@OpenLDAP.org
Date: Wed, 22 Jan 2003 20:41:50 GMT

At 06:07 PM 1/21/2003, quanah@stanford.edu wrote:
>Full_Name: Quanah Gibson-Mount
>Version: 2.1.10
>OS: Solaris 8
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (171.66.182.82)
>
>
>Hello,
>
>In the past (due to a previous request, as I recall), openldap would log the
>BIND dn of a person making a GSSAPI connection at loglevel 256.

The authorization DN (which is not necessarily the bind DN) is
logged both at 256 (STATS) and at 1 (TRACE).  The message is
labeled "AUTHZ" in 2.1.12 but will labeled "BIND" in the next
release (for consistency with other messages).

>It correctly
>logs the authcid and the authzid now, but the resulting BIND dn (in the case of
>group memberships) is not being logged.

authzid is the authorization DN used for ACLs, etc..

>It is important to know to what BIND DN
>these two bits of information were eventually resolved to.

A recent software message shows logging is working.
http://www.openldap.org/lists/openldap-software/200301/msg00546.html

Prev by Date: Enhancment: string-expand for acl set (ITS#2285)
Next by Date: Re: Bind DN not logged with GSSAPI binds (ITS#2283)
Index(es):
- Chronological
- Thread