Re: cn=Log,cn=Monitor (was: Open LDAP and SNMP)

["Pierangelo Masarati" <ando@sys-net.it>]

> Pierangelo Masarati wrote:
>>>
>> This is already possible with back-monitor, by modifying
>> the value of the description field in the "cn=Log,cn=Monitor"
>> entry by means of the LDAP protocol.
>
> Is there some documentation available?
> Is description meant to be multi-valued?
> How about access control?
>
> I tried to modify value of attribute description but got back an error
> unwillingToPerfom.

You're right, I started working on some docs, but soon gave up.
All that's available is a README in servers/slapd/back-monitor
and a few mail threads at the time it was committed (more than
one year ago, if I recall it right).  I'll turn the README into
a man page, and possibly some admin guide doc.

The description attribute is multivalued; you can only write
the allowed values, that are:

        Trace
        Packets
        Args
        Conns
        BER
        Filter
        Config          (useless)
        ACL
        Stats
        Stats2
        Shell
        Parse
        Cache           (deprecated)
        Index

the values are internally converted to their numerical
representation and ORed; there's no mutex protection
of logging, but it might be easily added if it's a problem
since all the writing is wrapped by one macro.

Of course you need write permission on that entry and on
that value, which is easily obtained by means of ACLs.

I don't remenber if a rootdn/rootpw is honored by the
backend; however it'd be of little use; my usual strategy
is to add ACLs that allow regular users belonging to other
databases to operate on monitor entries.  Note that
changing log level affects only syslog writings and not
debugging output as a design choice.

A valid change would be:

dn: cn=Log,cn=Monitor
changetype: modify
delete: description
description: Conns
-
add: description
description: Stats
desciption: ACL
-

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it