Ski Kacoroski wrote:I am using 2.3.20. I have it working now. I think it may have been because my rootdn was not set correctly.Howard Chu wrote:Ski Kacoroski wrote:Howard Chu wrote:matthew sporleder wrote:On 6/13/06, Ski Kacoroski <ckacoroski@nsd.org> wrote: Or you could look into the access log overlay. :)
That may be a good solution. Define two separate log databases, and separate the machine and user data into two databases, using subordinates to glue them together. Use an accesslog overlay on each main database, logging to separate log databases.
Ok, I have this working nicely with the following:
# Main logging database database hdb suffix "cn=nsdlog" ...
# Hosts logging database database hdb suffix "cn=nsdhostslog" ...
# Hosts database database hdb suffix "ou=Hosts,dc=nsd,dc=org" ... overlay accesslog logdb "cn=nsdhostslog" logops all
# Main database database hdb suffix "dc=nsd,dc=org" ... overlay accesslog logdb "cn=nsdlog" logops all
Tricks to getting it working were:
1. Comment out the accesslog overlay configuration until you create the base object in the log databases or else slapd crashes
Which version of OpenLDAP did that? The accesslog overlay will create the log's base object automatically on startup.
2. Be sure you have a rootdn and password set up on the log databases so you can create the base object
You just need the rootdn so that the accesslog overlay will have write privs on the log database.
Ok, I will try it that way. Works fine.
Hmmm, I am still missing something here. I changed the ordering with the overlay glue option and I still get almost duplicate (only the reqEnd time is slightly different) entries in both log databases when I search create or search for entries in ou=hosts,dc=nsd,dc=org. It does work the other way (e.g. if I search ou=people,dc=nsd,dc=org, I do not get an entry in the ou=hosts,dc=nsd,dc=org log database).
3. Do not use the subordinate option on the main dc=nsd,dc=org database. When I did this, the main database log picked up all the activity on the hosts database. The downside to not using the subordinate option is that I cannot do a recursive search from dc=nsd,dc=org into the ou=hosts branch (this is fine with me). It is interesting though that if do:
See the note in slapd.conf(5) about ordering of the overlays (at the subordinate keyword). If you exchange the order then the accesslog will only affect a single database, and not the entire glued tree.
slapd.conf is:
database hdb suffix "ou=Hosts,dc=nsd,dc=org" subordinate ... overlay accesslog logdb "cn=nsdhostslog" logops all
database hdb suffix "dc=nsd,dc=org" ... overlay glue overlay dynlist dynlist-attrset groupOfURLs memberURL member overlay accesslog logdb "cn=nsdlog" logops all
Thanks for your help and time.
cheers,
ski