[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trace the change on the directory [auf Viren überprüft]

Hi Howard!

Howard Chu schrieb:

There are many things wrong here:

1. The overlay is supposed to go on some other database, not the database that stores the log records.
You mean: "Don't log changes from ou=log in ou=log!"?
I snipped out the main db. This is the db I want to be logged (which worked).

database        bdb
suffix          "ou=foo,c=de"
rootdn          "cn=gen.man,ou=foo,c=de"
rootpw          nothing
directory       /opt/mail/var/main-data
# Indices to maintain
logdb "ou=log,ou=foo,c=de"
logops writes

2. The slapo-accesslog(5) manpage also tells you specifically not to allow general write access to the log database.
I did not try 2.3.24 but 2.3.19 and can't find it there. Either in man in the web.

3. You should always index objectclass eq.

4. You should always provide a rootdn.

[compare - isn't that a contradiction to ?
-> http://www.openldap.org/software/man.cgi?query=slapd.conf&apropos=0&sektion=0&manpath=OpenLDAP+2.3-Release&format=html
"It is recommended that the rootdn only be specified when needed (such as when initially populating a database). If the rootdn is within a namingContext (suffix) of the database, a simple bind password may also be provided using the rootpw directive. Note that the rootdn is always needed when using syncrepl."]

Now it works without the acls.
Thanks for clarifying that.