[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem when using 'accesslog' and 'refint' overlays in combination

Hello dear list,
Please try respond to this post, because that's very important for out project to fix described problem!

We are trying to configure access logging in my OpenLDAP server (version is 2.3.27) using slapo-accesslog overlay.
In slapd.conf I have configured accesslog database according to manual:
    database    bdb
    suffix         "cn=accesslog"
    rootdn        "cn=root,cn=accesslog"
    rootpw        accesslog
    index          reqStart eq

    database     bdb
    suffix           "dc=main_domain,dc=com"
    checkpoint   1024    5
    cachesize    10000
    rootdn          "cn=Administrator,dc=main_domain,dc=com"
    overlay         accesslog
    logdb           "cn=accesslog"
    logops          writes
    logold          (objectclass=person)

In previous version of slapd.conf there was also slapo-refint overlay enabled to support 'uniqueMember' attribute update after member entry is renamed or deleted:

    overlay refint
    refint_attributes uniqueMember

After turning on access logging I inspect the following problem:
I create 2 users (objectclass=person) and a group (objectclass=groupOfUniqueNames), then I add both users to that group (add users DN values to uniqueMember attribute). Next I'm trying to rename (or delete) one of the member users and... LDAP hangs up with no response. When I connect once again, then I see that action was performed (user is renamed or deleted, but old member reference is present in group attributes). However, I'm not able to modify directory (that is add some new entry, modify attribute value etc) LDAP hangs up on any attempt and only OpenLDAP restart helps.
Last note is that this problem appears only when both accesslog and refint are enabled. Separately they are working as expected.
Does anybody have an idea about the reason of such a problem?
We tried to find some useful information in logs, but nothing is there (maybe we just looked in wrong place)
Maybe it's possbile to configure access-log to use database on different LDAP server? Maybe that could help?
Please help! We need to have this working together!
Thanks in advance,