Re: Logging to syslog

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Wednesday, 2 February 2011 21:48:00 John Espiro wrote:
> On 2/2/2011 8:13 PM, Dieter Kluenter wrote:
> > Am Wed, 02 Feb 2011 19:43:27 +0100
> > 
> > schrieb John Espiro <john_espiro@yahoo.com>:
> >> I have tied in a few things such as openid-ldap and openfire to use my
> >> ldap backend for authentication.  I am wondering if it is possible to
> >> collect error logs for any invalid attempt that a user tries with
> >> these various applications.  Rather than handling it at the
> >> application level, can I get openldap to log these events?  If so,
> >> can someone point me to a link that explains it?
> > 
> > OpenLDAP logs to local4, thus you may configure syslog to print slapd
> > logs to a particular logfile. Next set a decent loglevel, stats or acl,
> > grep slapd.log for err=49
> > 
> > -Dieter
> 
> Thanks for this, it makes sense.  Where do I put the loglevel paramter?
> I don't have a slapd.conf, but I do have /etc/ldap.conf -- but putting
> it in there doesn't seem to have any effect.

1)Please see your distributions documentation for how they configure OpenLDAP 
by default.

2)If I were to guess (since you didn't supply much useful information, such as 
whether this is Ubuntu, Fedora, or RHEL6), it would be that you should read 
'man slapd-config' and search for olcLoglevel, and that you may have an 
/etc/ldap/slapd.d or /etc/openldap/slapd.d directory (which you shouldn't 
modify, slapd is supposed to do that), you *may* be able to modify this by 
default over the "wire" with with a SASL EXTERNAL bind to the URI ldapi:/// as 
the root user.

So, this may work:

# echo -e 'URI ldapi:///\nSASL_MECH EXTERNAL' > ~/.ldaprc
# echo -e 'dn: cn=config\nreplace: olcLogLevel\nolcLogLevel: stats'|ldapmodify

Or not.

But, they should have made this abundantly clear to you.

(I personally feel that distributions defaulting to back-config at present is 
premature, or under-documented in the distribution.)

Regards,
Buchan