[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Representing LDAP protocol in LDAP

To: Steve Trottier <strottier@novell.com>
Subject: Re: [ldapext] Representing LDAP protocol in LDAP
From: Howard Chu <hyc@highlandsun.com>
Date: Tue, 18 Oct 2005 09:30:15 -0700
Cc: ldapext@ietf.org
In-reply-to: <4354C6E9.0703.006F.0@novell.com>
References: <s25e0ace.035@lucius.provo.novell.com> <425E68F6.4020702@highlandsun.com> <4352C613.3070908@highlandsun.com> <4354C6E9.0703.006F.0@novell.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050925 SeaMonkey/1.1a

Steve Trottier wrote:

Howard,


Hi Steve,

This seem well thought out and obviously an improvement (at least for
auditing purposes) to the older changelog mechanism in use by several
other directories.

Is there a standard way to discover if this LDAP Logging mechanism is
in use in a particular directory? I.e, will there be an entry in the
rootDSE indicating the DN of the auditContainer in use? Or would a
potential consumer of this information search the directory looking for
entries that have the objectclass of interest?

Good questions. There is currently no formal mechanism to advertise the availability of this feature. I realize that's a hole here.

My preference would be to provide an operational attribute for the root entry of a naming context that gives the DN of the container. Alternatively it could be a collective attribute returned for all entries under the naming context. Since we can configure multiple databases in the server, and each database could be logging to different destinations, just listing the DN of a container in the rootDSE doesn't provide enough information. (I.e., you need to know which log goes with which subtree / naming context.)


Also, is this feature on by default in OpenLDAP 2.3? Is its use
configurable?

The feature is not on by default, it's implemented in a separate overlay module. There are a few simple options to configure it, e.g. you can configure it to log only a subset of operation types. You can view the current manpage for the overlay here http://24.126.120.178/~hyc/man/man5/slapo-accesslog.5

By the way, the XORDERED draft that this document references is now also available. http://24.126.120.178/~hyc/draft-chu-ldap-xordered-xx.txt

Thanks,
Steve Trottier
Sr. Software Engineer
Novell, Inc.   http://www.novell.com/
Howard Chu <hyc@highlandsun.com> 10/16/2005 3:28:51 pm >>>
I've attached an initial draft of the LDAP Logging schema we're using in OpenLDAP 2.3. This is my first try writing with the XML tools, so I'd

like to get comments early before submitting to the RFC Editor. The intended category is Informational; I'm not seeing that in the output even though I've specified it in the XML source. (Any tips on making it
behave? Using xml2rfc from xml.resource.org...)

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Representing LDAP protocol in LDAP
  - From: "Steve Trottier" <strottier@novell.com>

References:
- [ldapext] Representing LDAP protocol in LDAP
  - From: Howard Chu <hyc@highlandsun.com>
- Re: [ldapext] Representing LDAP protocol in LDAP
  - From: "Steve Trottier" <strottier@novell.com>

Prev by Date: Re: [ldapext] Representing LDAP protocol in LDAP
Next by Date: Re: [ldapext] Representing LDAP protocol in LDAP
Index(es):
- Chronological
- Thread