April 2011 - openldap-bugs

Re: (ITS#6911) Feature Request: accesslog filter on DN

by marco.pizzoli＠gmail.com

> > Patches welcome. > I would like to contribute but I'm not a developer and I have no overlay development documentation available Marco

11 years, 11 months

1
0
0 / 0

Re: (ITS#6913) Feature Request: accesslog filter on DN

by marco.pizzoli＠gmail.com

I had a refresh on the submit page. This erroneous ITS can be closed, sorry. On Thu, Apr 21, 2011 at 1:33 PM, <openldap-its(a)openldap.org> wrote: > > *** THIS IS AN AUTOMATICALLY GENERATED REPLY *** > > Thanks for your report to the OpenLDAP Issue Tracking System. Your > report has been assigned the tracking number ITS#6913. > > One of our support engineers will look at your report in due course. > Note that this may take some time because our support engineers > are volunteers. They only work on OpenLDAP when they have spare > time. > > If you need to provide additional information in regards to your > issue report, you may do so by replying to this message. Note that > any mail sent to openldap-its(a)openldap.org with (ITS#6913) > in the subject will automatically be attached to the issue report. > > mailto:openldap-its@openldap.org?subject=(ITS#6913) > > You may follow the progress of this report by loading the following > URL in a web browser: > http://www.OpenLDAP.org/its/index.cgi?findid=6913 > > Please remember to retain your issue tracking number (ITS#6913) > on any further messages you send to us regarding this report. If > you don't then you'll just waste our time and yours because we > won't be able to properly track the report. > > Please note that the Issue Tracking System is not intended to > be used to seek help in the proper use of OpenLDAP Software. > Such requests will be closed. > > OpenLDAP Software is user supported. > http://www.OpenLDAP.org/support/ > > -------------- > Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved. > > -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

11 years, 11 months

1
0
0 / 0

(ITS#6913) Feature Request: accesslog filter on DN

by marco.pizzoli＠gmail.com

Full_Name: Marco Pizzoli Version: 2.4.x OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (213.174.164.11) This is a feature request. I would like to further extend accesslog filtering capabilities. It would be useful to me exclude logging of operations made by a specific user (DN). My usage case is a DBMS (DB2) using native LDAP authentication, which does extensive search operations on my DIT (quite 2 millions searches per day per instance). I assigned a specific technical user (DN) to these DB2 instancies and so I am able to identify operations made by those users. This filter would allow me to reduce very much my accesslog db size and augment my data retention. Thanks Marco Pizzoli

11 years, 11 months

1
0
0 / 0

(ITS#6912) authz-regexp DN

by daniel＠pluta.biz

Full_Name: authz-regex dnNormalize() filter expression with matching rule assertion Version: HEAD OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:4ca0:0:fe00:200:5efe:81bb:f4c) We tried to support/implement case-sensitive logins using SASL DIGEST-MD5. Imagine the following partial authz-regexp statement: ldap:///ou=users,ou=eecbcs.de,dc=foo,dc=bar??one?(uid:caseExactMatch:=$1) During "dnNormalize" the uid is transformed into lowercase which cause the caseExactMatch to fail: SASL [conn=1010] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=user1HAHA,cn=DIGEST-MD5,cn=auth >>> dnNormalize: <uid=user1HAHA,cn=DIGEST-MD5,cn=auth> <<< dnNormalize: <uid=user1HAHA,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=user1HAHA,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=user1HAHA,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=([^,]+),cn=(PLAIN|LOGIN|OTP|DIGEST-MD5|CRAM-MD5),cn=auth' string='uid=user1HAHA,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'ldap:///ou=users,ou=eecbcs.de,dc=foo,dc=bar??one?(uid:caseExactMatch:=user1haha)'}

11 years, 11 months

1
0
0 / 0

Re: (ITS#6911) Feature Request: accesslog filter on DN

by hyc＠symas.com

marco.pizzoli(a)gmail.com wrote: > Full_Name: Marco Pizzoli > Version: 2.4.x > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (213.174.164.11) > > > This is a feature request. > > I would like to further extend accesslog filtering capabilities. > It would be useful to me exclude logging of operations made by a specific user > (DN). > > My usage case is a DBMS (DB2) using native LDAP authentication, which does > extensive search operations on my DIT (quite 2 millions searches per day per > instance). > I assigned a specific technical user (DN) to these DB2 instancies and so I am > able to identify operations made by those users. > > This filter would allow me to reduce very much my accesslog db size and augment > my data retention. Patches welcome. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

11 years, 11 months

1
0
0 / 0

(ITS#6911) Feature Request: accesslog filter on DN

by marco.pizzoli＠gmail.com

Full_Name: Marco Pizzoli Version: 2.4.x OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (213.174.164.11) This is a feature request. I would like to further extend accesslog filtering capabilities. It would be useful to me exclude logging of operations made by a specific user (DN). My usage case is a DBMS (DB2) using native LDAP authentication, which does extensive search operations on my DIT (quite 2 millions searches per day per instance). I assigned a specific technical user (DN) to these DB2 instancies and so I am able to identify operations made by those users. This filter would allow me to reduce very much my accesslog db size and augment my data retention. Thanks Marco Pizzoli

11 years, 11 months

1
0
0 / 0

Re: (ITS#6815) Feature Request: Accesslog filter

by marco.pizzoli＠gmail.com

It works! :-) In next 2 days I will test other configurations and I will let you know! By now, thanks a lot! Marco On Wed, Apr 20, 2011 at 9:26 PM, Howard Chu <hyc(a)symas.com> wrote: > Marco Pizzoli wrote: >> >> Trying a more complex configuration I found my first problem. >> This is my configuration: >> >> logbase session dc=mycorp,dc=mydc.it >> logbase all ou=groups,dc=mycorp,dc=mydc.it >> logbase all ou=people,dc=mycorp,dc=mydc.it >> >> Using my rootdn (cn=manager,dc=mycorp,dc=mydc.it) and submitting an >> authenticated ldapsearch under base "ou=groups,dc=mycorp,dc=mydc.it", >> I obtain this accesslog >> >> >> # 20110420141404.000000Z, log03, mydc.it >> dn: reqStart=20110420141404.000000Z,cn=log03,dc=mydc.it >> objectClass: auditBind >> reqStart: 20110420141404.000000Z >> reqEnd: 20110420141404.000001Z >> reqType: bind >> reqSession: 1000 >> reqAuthzID: >> reqDN: cn=manager,dc=mycorp,dc=mydc.it >> reqResult: 0 >> reqVersion: 3 >> reqMethod: SIMPLE >> >> # 20110420141404.000002Z, log03, mydc.it >> dn: reqStart=20110420141404.000002Z,cn=log03,dc=mydc.it >> objectClass: auditSearch >> reqStart: 20110420141404.000002Z >> reqEnd: 20110420141404.000003Z >> reqType: search >> reqSession: 1000 >> reqAuthzID: cn=manager,dc=mycorp,dc=mydc.it >> reqDN: ou=groups,dc=mycorp,dc=mydc.it >> reqResult: 0 >> reqScope: sub >> reqDerefAliases: never >> reqAttrsOnly: FALSE >> reqFilter: (cn=minnie) >> reqAttr: dn >> reqEntries: 0 >> reqTimeLimit: -1 >> reqSizeLimit: -1 >> >> As you can see, there isn't the unbind operation log... >> It's an error of mine? >> > Looks like Unbind has not been modified to handle logbase yet. Will fix this > shortly. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

11 years, 11 months

1
0
0 / 0

Re: (ITS#6815) Feature Request: Accesslog filter

by hyc＠symas.com

Marco Pizzoli wrote: > Trying a more complex configuration I found my first problem. > This is my configuration: > > logbase session dc=mycorp,dc=mydc.it > logbase all ou=groups,dc=mycorp,dc=mydc.it > logbase all ou=people,dc=mycorp,dc=mydc.it > > Using my rootdn (cn=manager,dc=mycorp,dc=mydc.it) and submitting an > authenticated ldapsearch under base "ou=groups,dc=mycorp,dc=mydc.it", > I obtain this accesslog > > > # 20110420141404.000000Z, log03, mydc.it > dn: reqStart=20110420141404.000000Z,cn=log03,dc=mydc.it > objectClass: auditBind > reqStart: 20110420141404.000000Z > reqEnd: 20110420141404.000001Z > reqType: bind > reqSession: 1000 > reqAuthzID: > reqDN: cn=manager,dc=mycorp,dc=mydc.it > reqResult: 0 > reqVersion: 3 > reqMethod: SIMPLE > > # 20110420141404.000002Z, log03, mydc.it > dn: reqStart=20110420141404.000002Z,cn=log03,dc=mydc.it > objectClass: auditSearch > reqStart: 20110420141404.000002Z > reqEnd: 20110420141404.000003Z > reqType: search > reqSession: 1000 > reqAuthzID: cn=manager,dc=mycorp,dc=mydc.it > reqDN: ou=groups,dc=mycorp,dc=mydc.it > reqResult: 0 > reqScope: sub > reqDerefAliases: never > reqAttrsOnly: FALSE > reqFilter: (cn=minnie) > reqAttr: dn > reqEntries: 0 > reqTimeLimit: -1 > reqSizeLimit: -1 > > As you can see, there isn't the unbind operation log... > It's an error of mine? > Looks like Unbind has not been modified to handle logbase yet. Will fix this shortly. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

11 years, 11 months

1
0
0 / 0

Re: (ITS#6815) Feature Request: Accesslog filter

by marco.pizzoli＠gmail.com

Trying a more complex configuration I found my first problem. This is my configuration: logbase session dc=mycorp,dc=mydc.it logbase all ou=groups,dc=mycorp,dc=mydc.it logbase all ou=people,dc=mycorp,dc=mydc.it Using my rootdn (cn=manager,dc=mycorp,dc=mydc.it) and submitting an authenticated ldapsearch under base "ou=groups,dc=mycorp,dc=mydc.it", I obtain this accesslog # 20110420141404.000000Z, log03, mydc.it dn: reqStart=20110420141404.000000Z,cn=log03,dc=mydc.it objectClass: auditBind reqStart: 20110420141404.000000Z reqEnd: 20110420141404.000001Z reqType: bind reqSession: 1000 reqAuthzID: reqDN: cn=manager,dc=mycorp,dc=mydc.it reqResult: 0 reqVersion: 3 reqMethod: SIMPLE # 20110420141404.000002Z, log03, mydc.it dn: reqStart=20110420141404.000002Z,cn=log03,dc=mydc.it objectClass: auditSearch reqStart: 20110420141404.000002Z reqEnd: 20110420141404.000003Z reqType: search reqSession: 1000 reqAuthzID: cn=manager,dc=mycorp,dc=mydc.it reqDN: ou=groups,dc=mycorp,dc=mydc.it reqResult: 0 reqScope: sub reqDerefAliases: never reqAttrsOnly: FALSE reqFilter: (cn=minnie) reqAttr: dn reqEntries: 0 reqTimeLimit: -1 reqSizeLimit: -1 As you can see, there isn't the unbind operation log... It's an error of mine?

11 years, 11 months

1
0
0 / 0

Re: (ITS#6815) Feature Request: Accesslog filter

by marco.pizzoli＠gmail.com

I compiled HEAD/Master branch and I tried setting logbase directive. It seems to work as requested! Thanks Marco

11 years, 11 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs April 2011