https://bugs.openldap.org/show_bug.cgi?id=9960
Issue ID: 9960 Summary: Problem with accesslog overlay along with dynlist overlay Product: OpenLDAP Version: 2.5.13 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: carsten.jaeckel@tu-dortmund.de Target Milestone: ---
As long as only the accesslog overlay is used the logging works as expected. Successfully logged search access:
ldapsearch -H ldaps://ldap.example.com:636 -D cn=manager,dc=example,dc=com -W -b dc=users,dc=example,dc=com cn=user1 mail
Result of ldapsearch -H ldaps://ldap.example.com:636 -D cn=log -W -b cn=log objectclass=*:
###################################### ...
# 20221212145029.000000Z, log dn: reqStart=20221212145029.000000Z,cn=log objectClass: auditBind reqStart: 20221212145029.000000Z reqEnd: 20221212145029.000001Z reqType: bind reqSession: 1022 reqAuthzID: reqDN: cn=manager,dc=example,dc=com reqResult: 0 reqVersion: 3 reqMethod: SIMPLE
# 20221212145029.000002Z, log dn: reqStart=20221212145029.000002Z,cn=log objectClass: auditSearch reqStart: 20221212145029.000002Z reqEnd: 20221212145029.000003Z reqType: search reqSession: 1022 reqAuthzID: manager,dc=example,dc=com reqDN: dc=users,dc=example,dc=com reqResult: 0 reqScope: sub reqDerefAliases: never reqAttrsOnly: FALSE reqFilter: (cn=user1) reqAttr: mail reqEntries: 1 reqTimeLimit: -1 reqSizeLimit: -1
# 20221212145029.000004Z, log dn: reqStart=20221212145029.000004Z,cn=log objectClass: auditObject reqStart: 20221212145029.000004Z reqEnd: 20221212145029.000005Z reqType: unbind reqSession: 1022 reqAuthzID: manager,dc=example,dc=com ######################################
After adding overlay dynlist the information in the accesslog database after the same search operation
ldapsearch -H ldaps://ldap.example.com:636 -D cn=manager,dc=example,dc=com -W -b dc=users,dc=example,dc=com cn=user1 mail
is as follows:
###################################### ...
# 20221212144859.000000Z, log dn: reqStart=20221212144859.000000Z,cn=log objectClass: auditBind reqStart: 20221212144859.000000Z reqEnd: 20221212144859.000001Z reqType: bind reqSession: 1019 reqAuthzID: reqDN: manager,dc=example,dc=com reqResult: 0 reqVersion: 3 reqMethod: SIMPLE
# 20221212144859.000002Z, log dn: reqStart=20221212144859.000002Z,cn=log objectClass: auditSearch reqStart: 20221212144859.000002Z reqEnd: 20221212144859.000003Z reqType: search reqSession: 1019 reqAuthzID: manager,dc=example,dc=com reqDN: dc=users,dc=example,dc=com reqResult: 0 reqScope: sub reqDerefAliases: never reqAttrsOnly: FALSE reqFilter: (objectClass=groupOfURLs) reqAttr: memberURL reqEntries: 0 reqTimeLimit: -1 reqSizeLimit: -1
# 20221212144859.000005Z, log dn: reqStart=20221212144859.000005Z,cn=log objectClass: auditObject reqStart: 20221212144859.000005Z reqEnd: 20221212144859.000006Z reqType: unbind reqSession: 1019 reqAuthzID: manager,dc=example,dc=com ######################################
Configuration: ###################################### dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb
...
olcSuffix: dc=example,dc=com olcSyncUseSubentry: FALSE
dn: olcOverlay={0}refint,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcRefintConfig objectClass: top olcOverlay: {0}refint olcRefintAttribute: member olcRefintAttribute: memberOf olcRefintNothing: cn=tgroup,dc=groups,dc=example,dc=com
dn: olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcOverlayConfig objectClass: olcPPolicyConfig objectClass: top olcOverlay: {1}ppolicy olcPPolicyHashCleartext: TRUE
dn: olcOverlay={2}dynlist,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcDynListConfig objectClass: olcOverlayConfig objectClass: top olcOverlay: {2}dynlist olcDynListAttrSet: {0}groupOfURLs memberURL member+memberOf@groupOfNames
dn: olcOverlay={3}lastbind,olcDatabase={1}mdb,cn=config objectClass: olcConfig objectClass: olcLastBindConfig objectClass: olcOverlayConfig objectClass: top olcOverlay: {3}lastbind olcLastBindPrecision: 86400
dn: olcOverlay={4}accesslog,olcDatabase={1}mdb,cn=config objectClass: olcAccessLogConfig objectClass: olcConfig objectClass: olcOverlayConfig objectClass: top olcAccessLogDB: cn=log olcOverlay: {4}accesslog olcAccessLogOld: (objectClass=inetOrgPerson) olcAccessLogOldAttr: description olcAccessLogOps: all olcAccessLogPurge: 01:00 00:15 ######################################
https://bugs.openldap.org/show_bug.cgi?id=9960
--- Comment #1 from Howard Chu hyc@openldap.org --- Note that if all of your member and memberOf attributes are dynamic, managed by dynlist, then you don't need refint here.
https://bugs.openldap.org/show_bug.cgi?id=9960
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED
--- Comment #2 from Howard Chu hyc@openldap.org --- fixed in git master
https://bugs.openldap.org/show_bug.cgi?id=9960
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |TEST Target Milestone|--- |2.5.14
https://bugs.openldap.org/show_bug.cgi?id=9960
--- Comment #3 from Carsten Jäckel carsten.jaeckel@tu-dortmund.de --- Sehr geehrte Damen und Herren,
bis zum 23.01.2023 bin ich per E-Mail nicht erreichbar. Ihre Nachricht wird nicht weitergeleitet und kann daher erst nach meiner Rückkehr beantwortet werden. In dringenden Fällen wenden Sie sich bitte an den Service-Desk des ITMC (service.itmc@tu-dortmund.demailto:service.itmc@tu-dortmund.de, Tel.: 0231-755-2444)
Viele Grüße,
Carsten Jäckel
Technische Universität Dortmund ITMC | Basis Applikationen Otto-Hahn-Str. 12, R. 1.031 | 44227 Dortmund | DEhttps://www.openstreetmap.org/way/188615252#map=18/51.48999/7.40707
T +49-231 755-8133 carsten.jaeckel@tu-dortmund.demailto:carsten.jaeckel@tu-dortmund.de www.itmc.tu-dortmund.dehttp://www.itmc.tu-dortmund.de/
P Save a tree ... please don’t print this e-mail unless you really need to!
Wichtiger Hinweis: Die Information in dieser E-Mail ist vertraulich. Sie ist ausschließlich für den Adressaten bestimmt. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, unterrichten Sie bitte den Absender und vernichten Sie diese Mail. Vielen Dank. Unbeschadet der Korrespondenz per E-Mail, sind unsere Erklärungen ausschließlich final rechtsverbindlich, wenn sie in herkömmlicher Schriftform (mit eigenhändiger Unterschrift) oder durch Übermittlung eines solchen Schriftstücks per Telefax erfolgen.
Important note: The information included in this e-mail is confidential. It is solely intended for the recipient. If you are not the intended recipient of this e-mail please contact the sender and delete this message. Thank you. Without prejudice of e-mail correspondence, our statements are only legally binding when they are made in the conventional written form (with personal signature) or when such documents are sent by fax.
https://bugs.openldap.org/show_bug.cgi?id=9960
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | Resolution|TEST |FIXED
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- head:
• 0acf148a by Howard Chu at 2022-12-15T10:07:06+00:00 ITS#9960 slapo-dynlist: mark internal searches as internal
RE26:
• 5c47ab7a by Howard Chu at 2023-01-19T17:38:56+00:00 ITS#9960 slapo-dynlist: mark internal searches as internal
RE25:
• af04b87e by Howard Chu at 2023-01-19T17:38:59+00:00 ITS#9960 slapo-dynlist: mark internal searches as internal
https://bugs.openldap.org/show_bug.cgi?id=9960
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |hyc@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9960
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org