[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bind DN not logged with GSSAPI binds (ITS#2283)

At 02:27 PM 1/22/2003, quanah@stanford.edu wrote:

>--On Wednesday, January 22, 2003 1:35 PM -0800 "Kurt D. Zeilenga" 
><Kurt@OpenLDAP.org> wrote:
>> At 12:56 PM 1/22/2003, quanah@stanford.edu wrote:
>>> Okay, I understand your point.  I guess what I'm looking at, is the logs
>>> don't reflect back to me, where I'm getting my permissions at.
>> For this, I think, you need to enable ACL logging.
>I'll note that this bumps up our logsize from 9 lines per connection to 102 
>lines for the same simple search (loglevel 384).

Yes, ACL logging is expensive.  It's not intended to be enabled full time.
But it's the only way to tell which access clause(s) are applicable.

>This is really not 
>sustainable for us.  From an operating perspective on the openldap side, I 
>can see where the ACL difference is compared to the information that we are 
>looking for, especially given that it checks what ACL to use for each 
>attribute.  We currently log 9 connections per query on our netscape 
>systems, and still log approximately 300MB of information per machine (with 
>9 machines) a day.  I think we will simply have to only use this for 
>Quanah Gibson-Mount
>Senior Systems Administrator
>ITSS/TSS/Computing Systems
>Stanford University
>GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html