[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#4615) Possible bug in access log overlay with distributed databases
Full_Name: Ski Kacoroski
Version: 2.3.24
OS: Debian Linux Sarge 3.1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (152.157.64.243)
I have the following setup:
dc=nsd, dc=org # superior database with accesslog nsdlog
|
-- ou=people # ou in superior database
|
-- ou=hosts # subordinate database with accesslog hostslog
When I make a change, search, add, delete to an object in
"ou=people,dc=nsd,dc=org", I get logs in nsdlog only. This is makes sense
When I do a search with base "dc=nsd,dc=org" and scope of base I get an entry in
nsdlog only. This makes sense. If I change the scope to one or sub I get an
entry in nsdlog and hostslog. This also makes sense to me.
When I do the following search:
ldapsearch -x -b "ou=hosts,dc=nsd,dc=org" -h localhost "(uid=test)" with any -s
option I get entries in both nsdlog and hostslog even though the search should
just be in the "ou=hosts,dc=nsd,dc=org" database.
Question is why I am still getting search entries in the nsdlog? Is this
expected behaviour?
Also, if I make a add to an object in "ou=hosts,,dc=nsd,dc=org" I get 3
duplicate entries in both logs where I only expected to get entries in the
hostslog. If I change the rootdn of "ou=hosts,dc=nsd,dc=org" to be
"cn=root,ou=hosts,dc=nsd,dc=org" instead of "cn=root,dc=nsd,dc=org", I only get
1 duplicate entry in the nsdlog (e.g. I only get the add entry, not the bind or
unbind entries as I am not binding to the rootdn in "dc=nsd,dc=org".
Question is why I am still getting the add entry in nsdlog? Is this expected
behaviour?
My slapd.conf file is:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /opt/openldap/etc/openldap/schema/core.schema
include /opt/openldap/etc/openldap/schema/cosine.schema
include /opt/openldap/etc/openldap/schema/nis.schema
include /opt/openldap/etc/openldap/schema/inetorgperson.schema
include /opt/openldap/etc/openldap/schema/dyngroup.schema
#include /opt/openldap/etc/openldap/schema/nsd.schema
# Default search base for Entourage
defaultsearchbase ou=people,dc=nsd,dc=org
# search return sizelimit
sizelimit 10000
# PID and ARG files
pidfile /var/openldap/run/slapd.pid
argsfile /var/openldap/run/slapd.args
# Cleartext passwords
password-hash {CLEARTEXT}
# TLS/SSL stuff
TLSCipherSuite HIGH
TLSCACertificateFile /opt/openldap/ssl/certs/DigiCertSecurityServicesCA.pem
TLSCertificateFile /opt/openldap/ssl/certs/star_nsd_org.pem
TLSCertificateKeyFile /opt/openldap/ssl/keys/digikey.key
#loglevel
# any, 1-function calls, 2-packet handling, 4-functions+args, 8-connections,
# 16-packets, 32-search filters, 64-config file,, 128-acls, 256-normal stats,
# 512-more stats, 16384-replication
loglevel 256
# Access control policy
# Remember, rootdn can always read and write EVERYTHING!
# password only can be changed by self and admins
access to attrs=userPassword
by anonymous auth
by group="cn=Administrators,ou=Group,dc=nsd,dc=org" write
by self write
by * none
# everyone can read the people tree, admins can write to it
access to dn.subtree="ou=People,dc=nsd,dc=org"
by group="cn=Administrators,ou=Group,dc=nsd,dc=org" write
by * read
access to dn.subtree="cn=Monitor"
by dn.exact="cn=root,dc=nsd,dc=org" write
by * none
# for everything else, admins and self can write, all can read
access to *
by group="cn=Administrators,ou=Group,dc=nsd,dc=org" write
by self write
by * read
#######################################################################
# HDB database definitions
#######################################################################
# Monitor & Config Database
database monitor
database config
rootpw password
# Logging Database
database hdb
suffix "cn=nsdlog"
rootdn "cn=root,dc=nsd,dc=org"
directory /var/openldap/openldap-data/nsdlog
index objectClass,reqStart eq
index entryCSN,entryUUID eq
cachesize 50000
checkpoint 512 60
# hosts.nsd.org Logging Database
database hdb
suffix "cn=nsdhostslog"
rootdn "cn=root,dc=nsd,dc=org"
directory /var/openldap/openldap-data/nsdhostslog
index objectClass,reqStart eq
index entryCSN,entryUUID eq
cachesize 50000
checkpoint 512 60
# hosts.nsd.org Database
database hdb
suffix "ou=Hosts,dc=nsd,dc=org"
rootdn "cn=root,ou=hosts,dc=nsd,dc=org"
rootpw password
directory /var/openldap/openldap-data/hosts
cachesize 50000
checkpoint 512 60
subordinate
index objectClass,uidNumber,gidNumber,memberUid eq
index cn,mail,sn,givenName,uid,displayName eq,pres,sub
index entryCSN,entryUUID eq
overlay accesslog
logdb "cn=nsdhostslog"
logops all
logpurge 36+00:00 1+00:00
# nsd.org Database
database hdb
suffix "dc=nsd,dc=org"
rootdn "cn=root,dc=nsd,dc=org"
rootpw password
directory /var/openldap/openldap-data/nsd
cachesize 50000
checkpoint 512 60
# Indices to maintain
index objectClass,uidNumber,gidNumber,memberUid eq
index cn,mail,sn,givenName,uid,displayName eq,pres,sub
index entryCSN,entryUUID eq
# Dynamic groups and lists
overlay dynlist
dynlist-attrset nsdGroupOfMemberURLs memberURL member
dynlist-attrset nsdGroupOfAttrURLs nsdAttrURL
# Log data put into ldap database instead of flat file
# Scan once a day and delete entries over 36 days old
overlay accesslog
logdb "cn=nsdlog"
logops all
logpurge 36+00:00 1+00:00