[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7863) Invalid DN syntax (34) not written by slapo-accesslog

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7863) Invalid DN syntax (34) not written by slapo-accesslog
From: michael@stroeder.com
Date: Thu, 29 May 2014 16:13:33 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Howard Chu wrote:
> michael@stroeder.com wrote:
>> It seems that modify requests which failed due to Invalid DN syntax (34) are
>> not
>> written to accesslog-DB. I guess that those requests get abandoned by the
>> frontend and never reach the backend at all.
> 
> Correct.
> 
>> It would be handy to see the invalid modify request in the accesslog-DB though.
>>
>> Any chance to achieve this?
> 
> Not likely. The frontend must call select_backend() based on the incoming DN
> to determine which backend to invoke, and thus which stack of overlays are
> involved. If the DN is invalid, no selection can occur.

Hmm, I've done some more tests. Invalid syntax (21) also does not make it
beyond the frontend into accesslog-DB.

I have no clear opinion on this. Of course the current behaviour is good for
performance. But sometimes one would like to observe what broken LDAP clients
sent in a modify request in the past.

Also running with BER loglevel or breaking up the TLS connection with stunnel
and sniff with Wireshark is not always an option.

Having this configurable would be great.

What's your opinion on this?

Ciao, Michael.

Prev by Date: (ITS#7865) man slapo-refint extended with olc-example
Next by Date: Re: (ITS#7863) Invalid DN syntax (34) not written by slapo-accesslog
Index(es):
- Chronological
- Thread