Re: (ITS#6815) Feature Request: Accesslog filter
by masarati@aero.polimi.it
hyc(a)symas.com wrote:
> Andrew Findlay wrote:
>> On Wed, Feb 23, 2011 at 08:58:33AM +0000, hyc(a)symas.com wrote:
>>
>>> Possibly we can extend the directive to handle exclusion as well as inclusion,
>>> to simplify this case.
>> Extending this idea slightly, would it be possible to have
>> exclusions based on changes to specific attributes? The
>> particular case I have in mind is where accesslog is used to
>> keep a permanent audit log of changes, and ppolicy is also
>> in use, resulting in one audit entry for every login
>> failure. I have one site where a large proportion of the auditlog
>> entries are login failures...
>
> Perhaps in that case, it would be simpler just to set ppolicy's mods to be
> internal-only and bypass the accesslog overlay. (Currently it does this
> already, if the server is a single-master replica.)
>
> So far you're talking about two different enhancements - the original poster
> is trying to exclude a set of searches, and you're talking about excluding
> modify ops. I'm not seeing any way yet to generalize from here such that all
> operation types are addressed meaningfully, and I don't want to introduce
> multiple special cases to the config language.
A URI-based restriction specification could include/exclude based on
suffix, filter and listed attributes with a unified syntax.
p.
12 years, 7 months
Re: (ITS#6815) Feature Request: Accesslog filter
by hyc@symas.com
Andrew Findlay wrote:
> On Wed, Feb 23, 2011 at 08:58:33AM +0000, hyc(a)symas.com wrote:
>
>> Possibly we can extend the directive to handle exclusion as well as inclusion,
>> to simplify this case.
>
> Extending this idea slightly, would it be possible to have
> exclusions based on changes to specific attributes? The
> particular case I have in mind is where accesslog is used to
> keep a permanent audit log of changes, and ppolicy is also
> in use, resulting in one audit entry for every login
> failure. I have one site where a large proportion of the auditlog
> entries are login failures...
Perhaps in that case, it would be simpler just to set ppolicy's mods to be
internal-only and bypass the accesslog overlay. (Currently it does this
already, if the server is a single-master replica.)
So far you're talking about two different enhancements - the original poster
is trying to exclude a set of searches, and you're talking about excluding
modify ops. I'm not seeing any way yet to generalize from here such that all
operation types are addressed meaningfully, and I don't want to introduce
multiple special cases to the config language.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12 years, 7 months
Re: (ITS#6815) Feature Request: Accesslog filter
by andrew.findlay@skills-1st.co.uk
On Wed, Feb 23, 2011 at 08:58:33AM +0000, hyc(a)symas.com wrote:
> Possibly we can extend the directive to handle exclusion as well as inclusion,
> to simplify this case.
Extending this idea slightly, would it be possible to have
exclusions based on changes to specific attributes? The
particular case I have in mind is where accesslog is used to
keep a permanent audit log of changes, and ppolicy is also
in use, resulting in one audit entry for every login
failure. I have one site where a large proportion of the auditlog
entries are login failures...
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
12 years, 7 months
Re: (ITS#6815) Feature Request: Accesslog filter
by marco.pizzoli@gmail.com
--0016363b8528ec55d3049cef5b03
Content-Type: text/plain; charset=ISO-8859-1
On Wed, Feb 23, 2011 at 9:57 AM, Howard Chu <hyc(a)symas.com> wrote:
> Marco Pizzoli wrote:
>
>> Hi Howard,
>> thanks for this work.
>>
>> I noticed that you give me a baseDN under which I can have operations
>> logged.
>> If I would like to exclude one subtree from my principal tree, I need to
>> specify all the baseDN of other sibling-subtrees.
>> To do this do I need to poli-invoke accesslog overlay?
>>
>
> No, you can specify logbase multiple times in a single overlay.
>
Ok, thanks.
> Possibly we can extend the directive to handle exclusion as well as
> inclusion, to simplify this case.
>
This is effectively what I would need, in this case.
--0016363b8528ec55d3049cef5b03
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<br><div class=3D"gmail_quote">On Wed, Feb 23, 2011 at 9:57 AM, Howard Chu =
<span dir=3D"ltr"><<a href=3D"mailto:hyc@symas.com">hyc(a)symas.com</a>>=
;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0=
pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;=
">
<div class=3D"im">Marco Pizzoli wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Hi Howard,<br>
thanks for this work.<br>
<br>
I noticed that you give me a baseDN under which I can have operations logge=
d.<br>
If I would like to exclude one subtree from my principal tree, I need to<br=
>
specify all the baseDN of other sibling-subtrees.<br>
To do this do I need to poli-invoke accesslog overlay?<br>
</blockquote>
<br></div>
No, you can specify logbase multiple times in a single overlay.<br></blockq=
uote><div><br>Ok, thanks.<br><br>=A0</div><blockquote class=3D"gmail_quote"=
style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 2=
04); padding-left: 1ex;">
Possibly we can extend the directive to handle exclusion as well as inclusi=
on, to simplify this case.<br></blockquote><div><br>This is effectively wha=
t I would need, in this case.<br><br>
</div></div><br>
--0016363b8528ec55d3049cef5b03--
12 years, 7 months
Re: (ITS#6815) Feature Request: Accesslog filter
by hyc@symas.com
Marco Pizzoli wrote:
> Hi Howard,
> thanks for this work.
>
> I noticed that you give me a baseDN under which I can have operations logged.
> If I would like to exclude one subtree from my principal tree, I need to
> specify all the baseDN of other sibling-subtrees.
> To do this do I need to poli-invoke accesslog overlay?
No, you can specify logbase multiple times in a single overlay.
Possibly we can extend the directive to handle exclusion as well as inclusion,
to simplify this case.
>
> Thanks again
> Marco
>
> On Wed, Feb 23, 2011 at 3:15 AM, Howard Chu <hyc(a)symas.com
> <mailto:hyc@symas.com>> wrote:
>
> marco.pizzoli(a)gmail.com <mailto:marco.pizzoli@gmail.com> wrote:
>
> Full_Name: Marco Pizzoli
> Version: ALL
> OS:
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (193.41.84.11)
>
>
> Hi,
> this is a feature request.
>
> I would like to have accesslog writing to his db only ldap operations
> that match
> some sort of filter, or, in particular, to not to log searches that
> matches a
> specific pattern.
>
> This request is spotted by some ldap clients that I have that every
> 30seconds do
> a dummy ldap search only to keep alive their connection to the ldap
> server.
> These searches are frequent and I have many of these clients in my
> deploy, so my
> accesslog become full of not significant entries.
>
>
> I've added a simple subtree-matching feature to accesslog in HEAD. Please
> test and let us know if it addresses this request.
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
>
>
>
>
> --
> _________________________________________
> Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
> Jim Morrison
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12 years, 7 months
Re: (ITS#6815) Feature Request: Accesslog filter
by marco.pizzoli@gmail.com
--0016363b85287ec3a0049cef245f
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hi Howard,
thanks for this work.
I noticed that you give me a baseDN under which I can have operations
logged.
If I would like to exclude one subtree from my principal tree, I need to
specify all the baseDN of other sibling-subtrees.
To do this do I need to poli-invoke accesslog overlay?
Thanks again
Marco
On Wed, Feb 23, 2011 at 3:15 AM, Howard Chu <hyc(a)symas.com> wrote:
> marco.pizzoli(a)gmail.com wrote:
>
>> Full_Name: Marco Pizzoli
>> Version: ALL
>> OS:
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (193.41.84.11)
>>
>>
>> Hi,
>> this is a feature request.
>>
>> I would like to have accesslog writing to his db only ldap operations th=
at
>> match
>> some sort of filter, or, in particular, to not to log searches that
>> matches a
>> specific pattern.
>>
>> This request is spotted by some ldap clients that I have that every
>> 30seconds do
>> a dummy ldap search only to keep alive their connection to the ldap
>> server.
>> These searches are frequent and I have many of these clients in my deplo=
y,
>> so my
>> accesslog become full of not significant entries.
>>
>
> I've added a simple subtree-matching feature to accesslog in HEAD. Please
> test and let us know if it addresses this request.
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
>
--=20
_________________________________________
Non =E8 forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison
--0016363b85287ec3a0049cef245f
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hi Howard,<br>thanks for this work.<br><br>I noticed that you give me a bas=
eDN under which I can have operations logged.<br>If I would like to exclude=
one subtree from my principal tree, I need to specify all the baseDN of ot=
her sibling-subtrees.<br>
To do this do I need to poli-invoke accesslog overlay?<br><br>Thanks again<=
br>Marco<br><br><div class=3D"gmail_quote">On Wed, Feb 23, 2011 at 3:15 AM,=
Howard Chu <span dir=3D"ltr"><<a href=3D"mailto:hyc@symas.com">hyc@syma=
s.com</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><a href=3D"mailto=
:marco.pizzoli@gmail.com" target=3D"_blank">marco.pizzoli(a)gmail.com</a> wro=
te:<br>
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; borde=
r-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Full_Name: Marco Pizzoli<br>
Version: ALL<br>
OS:<br>
URL: <a href=3D"ftp://ftp.openldap.org/incoming/" target=3D"_blank">ftp://f=
tp.openldap.org/incoming/</a><br>
Submission from: (NULL) (193.41.84.11)<br>
<br>
<br>
Hi,<br>
this is a feature request.<br>
<br>
I would like to have accesslog writing to his db only ldap operations that =
match<br>
some sort of filter, or, in particular, to not to log searches that matches=
a<br>
specific pattern.<br>
<br>
This request is spotted by some ldap clients that I have that every 30secon=
ds do<br>
a dummy ldap search only to keep alive their connection to the ldap server.=
<br>
These searches are frequent and I have many of these clients in my deploy, =
so my<br>
accesslog become full of not significant entries.<br>
</blockquote>
<br>
I've added a simple subtree-matching feature to accesslog in HEAD. Plea=
se test and let us know if it addresses this request.<br><font color=3D"#88=
8888">
<br>
-- <br>
=A0-- Howard Chu<br>
=A0CTO, Symas Corp. =A0 =A0 =A0 =A0 =A0 <a href=3D"http://www.symas.com" t=
arget=3D"_blank">http://www.symas.com</a><br>
=A0Director, Highland Sun =A0 =A0 <a href=3D"http://highlandsun.com/hyc/" =
target=3D"_blank">http://highlandsun.com/hyc/</a><br>
=A0Chief Architect, OpenLDAP =A0<a href=3D"http://www.openldap.org/project=
/" target=3D"_blank">http://www.openldap.org/project/</a><br>
</font></blockquote></div><br><br clear=3D"all"><br>-- <br>________________=
_________________________<br>Non =E8 forte chi non cade, ma chi cadendo ha =
la forza di rialzarsi.<br>=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Jim Morri=
son<br>
--0016363b85287ec3a0049cef245f--
12 years, 7 months
Re: (ITS#6839) Expanded documentation for ldapi: and SASL EXTERNAL
by hyc@symas.com
Andrew Findlay wrote:
> On Fri, Feb 18, 2011 at 02:56:16PM -0800, Howard Chu wrote:
>
>> re: TLS Authentication Identity Format
>>
>> Strictly speaking, the order of components is not changed at all.
>> The sequence of RDNs in the DN is what it is; just that the
>> convention for *displaying* it is ass-backwards in LDAP. I'm afraid
>> the wording here will confuse people into thinking that the
>> *semantics* of the DN are changed, when it's only a display issue.
>
> Good point. Updated wording attached.
Thanks, applied with formatting tweaks.
>
> Andrew
>
>
> sasl-x509-dn-doc.patch
>
>
> --- sasl.sdf.head 2011-02-18 23:03:07.000000000 +0000
> +++ sasl.sdf 2011-02-22 14:30:25.947887979 +0000
> @@ -1,4 +1,4 @@
> -# $OpenLDAP: pkg/openldap-guide/admin/sasl.sdf,v 1.51 2011/02/18 23:03:07 hyc Exp $
> +# $OpenLDAP: pkg/openldap-guide/admin/sasl.sdf,v 1.34.2.12 2011/01/04 23:49:40 kurt Exp $
> # Copyright 1999-2011 The OpenLDAP Foundation, All Rights Reserved.
> # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
>
> @@ -302,9 +302,9 @@
>
> H4: TLS Authentication Identity Format
>
> -This is usually the Subject DN from the client-side certificate.
> -The order of the components will be changed to follow LDAP conventions,
> -so a certificate issued to {{EX:C=gb, O=The Example Organisation, CN=A Person}}
> +This is the Subject DN from the client-side certificate.
> +Note that DNs are displayed differently by LDAP and by X.509, so
> +a certificate issued to {{EX:C=gb, O=The Example Organisation, CN=A Person}}
> will produce an authentication identity of:
>
> > cn=A Person,o=The Example Organisation,c=gb
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12 years, 7 months
Re: (ITS#6833) LDAP hangs on Solaris
by hyc@symas.com
tombolala(a)gmx.de wrote:
> Hi Quanah!
>
> sorry for the wrong release, I meant 2.4.22 of course.
I recall we also experienced hangs with Solaris 10 during the testing leading
up to the 2.4.24 release. Yet with identical code, no such hangs were reported
on Solaris 9 or Solaris 11. I suspect there's a bug in the implementation of
select() on Solaris 10, causing it to fail to report the connection close events.
Some discussion of this problem occurred in this email thread
http://www.openldap.org/lists/openldap-devel/201101/msg00033.html
Try 2.4.24, and try a different Solaris release. Aside from that, we have no
answers for you.
> /Thomas
>
> -------- Original-Nachricht --------
>> Datum: Wed, 16 Feb 2011 16:34:39 GMT
>> Von: quanah(a)zimbra.com
>> An: openldap-its(a)openldap.org
>> Betreff: Re: (ITS#6833) LDAP hangs on Solaris
>
>> --On Wednesday, February 16, 2011 11:37 AM +0000 tombolala(a)gmx.de wrote:
>>
>>> Full_Name: Thomas Bopp
>>> Version: 4.2.22
>>
>>> I really need a solution for this problem.
>>
>> I suggest you list an actual OpenLDAP release. It's near impossible to
>> help you without that.
>>
>> --Quanah
>>
>> --
>>
>> Quanah Gibson-Mount
>> Sr. Member of Technical Staff
>> Zimbra, Inc
>> A Division of VMware, Inc.
>> --------------------
>> Zimbra :: the leader in open source messaging and collaboration
>>
>>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12 years, 7 months
Re: (ITS#6815) Feature Request: Accesslog filter
by hyc@symas.com
marco.pizzoli(a)gmail.com wrote:
> Full_Name: Marco Pizzoli
> Version: ALL
> OS:
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (193.41.84.11)
>
>
> Hi,
> this is a feature request.
>
> I would like to have accesslog writing to his db only ldap operations that match
> some sort of filter, or, in particular, to not to log searches that matches a
> specific pattern.
>
> This request is spotted by some ldap clients that I have that every 30seconds do
> a dummy ldap search only to keep alive their connection to the ldap server.
> These searches are frequent and I have many of these clients in my deploy, so my
> accesslog become full of not significant entries.
I've added a simple subtree-matching feature to accesslog in HEAD. Please test
and let us know if it addresses this request.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12 years, 7 months
Re: (ITS#6841) slapd segfault error 7
by masarati@aero.polimi.it
> Full_Name: André Bolinhas
> Version: 2.4.24
> OS: ubuntu 10.4 x86
> URL:
> Submission from: (NULL) (217.129.0.33)
>
>
> Dear,
>
> My ldap crash every 2 minutes, I get this error on syslog
>
> kernel: [35483.930213] slapd[3892]: segfault at 8127238 ip 080c6fcc sp
> b60ffb00
> error 7 in slapd[8048000+123000]
>
> How can help to solve this problem ?
Usage help requests should be directed to openldap-technical mailing list.
The ITS is for bug tracking. I infer you didn't read the instructions
from the fact that you clicked the "Major Security Issue?" for ITS#6840).
This ITS will be closed.
p.
12 years, 7 months
