On Tuesday 03 October 2006 20:49, Robert Petkus wrote: ...
I hate making these things long because folks lose interest and stop reading but my environment is complex so:
Along with the main database, I am also using monitor and accesslog. Recently I began storing ssh public keys in LDAP for use with ssh-lpk. This past weekend ~15k accounts were added to LDAP and maybe 700 ssh keys (I manage LDAP not account management..). Replication failed on 2 nodes. I noticed on these nodes incoherency because I was using an outdated custom schema file (my fault) so I decided to wipe the database and reload it from backup. Not a big deal but I notice that my nightly slapcat ldifs (slapcat -n 2 -l ldap.ldif) are polluted with accesslog entries that *replace* the original entries. For example, my account dn won't include, say, sshPublicKey, but I'd see a reqMod entry with this attribute.
I can see every dn with a ldapsearch but am missing many dns using slapcat. Obversely, when I do slapcat, I get dn attributes from accesslog that I can't see with ldapsearch. It looks like some weird cross-pollination of the 2 databases.
Maybe there is something I am missing in my config. Here is a snippet -- the full config is available upon request.
Thanks!
...
database monitor
database bdb suffix cn=changelog rootdn cn=changelog rootpw secret directory /var/lib/accesslog index reqStart eq index reqAuthzID eq index reqDN eq index reqMod eq overlay accesslog logdb cn=changelog logops writes
database bdb suffix "dc=bnl,dc=gov" rootdn "cn=admin,dc=bnl,dc=gov" rootpw {SSHA}secret
directory /var/lib/ldap
sizelimit unlimited cachesize 500000 idlcachesize 500000
Maybe I'm confused but doesn't the accesslog overlay belong in the main database definition? At least that's what I have:
database hdb suffix "cn=log" .....
database bdb suffix "dc=rentec,dc=com" .... overlay accesslog .... logdb cn=log logops writes logpurge 30+00:00:00 01+00:00:00 ....
Karsten.