[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Representing LDAP protocol in LDAP

To: "Howard Chu" <hyc@highlandsun.com>, <ldapext@ietf.org>
Subject: Re: [ldapext] Representing LDAP protocol in LDAP
From: "Steve Trottier" <strottier@novell.com>
Date: Tue, 18 Oct 2005 17:07:42 -0600
Cc:
Content-disposition: inline
In-reply-to: <43552317.3000700@highlandsun.com>
References: <s25e0ace.035@lucius.provo.novell.com> <425E68F6.4020702@highlandsun.com> <4352C613.3070908@highlandsun.com> <4354C6E9.0703.006F.0@novell.com> <43552317.3000700@highlandsun.com>

Thank you for those answers. Regarding where to put the operational
attribute with the DN of the audit container, I think either (or both)
would work. The preferred method would depend on what a client's purpose
would be in reading the audit information. If you wanted to see all
accesses or writes to a particular entry in the directory, then your
second suggestion of the attribute being available on all entries under
a naming context would be helpful because you could read the value of
the container directly from the entry of interest. If, however, your
purpose in reading the audit information was to replicate or synchronize
directory data, then you would probably just want a quick way to find
which container or containers you should poll for updates. Searching the
rootDSE for naming contexts and then the naming contexts for their audit
containers would work well in that case. Interestingly, these two
methods are very similar to the current methods of finding a
subschemasubentry, which makes sense.

>>> Howard Chu <hyc@highlandsun.com> 10/18/2005 10:30:15 am >>>
... There is currently no formal mechanism to advertise the 
availability of this feature. I realize that's a hole here.

My preference would be to provide an operational attribute for the root

entry of a naming context that gives the DN of the container. 
Alternatively it could be a collective attribute returned for all 
entries under the naming context. Since we can configure multiple 
databases in the server, and each database could be logging to
different 
destinations, just listing the DN of a container in the rootDSE doesn't

provide enough information. (I.e., you need to know which log goes with

which subtree / naming context.)
> 
> Also, is this feature on by default in OpenLDAP 2.3? Is its use
> configurable?

The feature is not on by default, it's implemented in a separate
overlay 
module. There are a few simple options to configure it, e.g. you can 
configure it to log only a subset of operation types. You can view the

current manpage for the overlay here
http://24.126.120.178/~hyc/man/man5/slapo-accesslog.5 

By the way, the XORDERED draft that this document references is now
also 
available. http://24.126.120.178/~hyc/draft-chu-ldap-xordered-xx.txt 


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- [ldapext] Representing LDAP protocol in LDAP
  - From: Howard Chu <hyc@highlandsun.com>
- Re: [ldapext] Representing LDAP protocol in LDAP
  - From: "Steve Trottier" <strottier@novell.com>
- Re: [ldapext] Representing LDAP protocol in LDAP
  - From: Howard Chu <hyc@highlandsun.com>

Prev by Date: Re: [ldapext] Representing LDAP protocol in LDAP
Next by Date: [ldapext] Invitation to join the Digital Identity Exchange IETF mailing list
Index(es):
- Chronological
- Thread