Quanah Gibson-Mount wrote: > --On Thursday, April 14, 2016 9:25 AM +0200 Ulrich Windl > <Ulrich.Windl@rz.uni-regensburg.de> wrote: >> I have configured accesslog to log all changes to an LDAP server, and >> that seems to work for months. Recently I noticed that that there wee no >> new entries for more than a week. Usually there are several entries per >> day, because with password policy every bad login attempt is logged. As >> we have three multi-master servers, I wonder whether changes made to >> other servers and replicated to the local server will be logged by >> accesslog also. Are the password policy updates (which are somewhat >> special) also replicated to all servers? > > Have you read over the slapo-ppolicy(5) man page? > > <http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html> > > > The "OPERATIONAL ATTRIBUTES" section is interesting. I can't tell how it's > supposed to operate in an MMR environment. Probably Ulrich is referring to the internal write operations sent by slapo-ppolicy setting attribute 'pwdFailureTime'. Those are indeed also written to accesslog database. I also use this to detect failed logins in case I don't want to log all bind operations. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature