accesslog overlay and 'logops all', Can't get get cn=Monitor running and problem with ppolicy (pwdAttribute)
Sorry for trying to kill three birds with one stone, but...
I've been playing with 2.4 this weekend and disovered the accesslog and ppolicy overlays... But I found a 'bug' (I'm quite certain of it any way :) with the accesslog overlay.
The 'logops all' config statement does not seem to log ADDS! Neither does 'logops writes' or 'logops add'...
----- s n i p ----- # ------- DB: 'cn=LOG1' database bdb suffix cn=LOG1 directory "/var/lib/ldap/cn=log1" index reqStart eq rootdn "uid=turbo,ou=People,o=Fredriksson,c=SE"
# ------- DB: 'c=SE' (Bayour.COM) database hdb suffix "c=SE" directory "/var/lib/ldap/c=se" readonly off lastmod on [...] overlay accesslog logdb cn=LOG1 logops all logold (objectclass=person) ----- s n i p -----
Full config can be found at http://www.bayour.com/problems/ERROR-slapd_v2.4.conf
Also, I have a problem getting 'cn=Monitor' running. See strace log at 'http://www.bayour.com/problems/ERROR-slapd_v2.4.monitor'.
And how do you actually use the 'pwdAttribute' of the 'pwdPolicy' objectclass? I get 'value #0 invalid per syntax' when I try to use it as 'pwdattribute: userPassword'... See http://www.bayour.com/problems/ERROR-slapd_v2.4.ppolicy for example LDIF an full log output.
Turbo Fredriksson wrote:
Also, I have a problem getting 'cn=Monitor' running.
Oops, the internal operation that registers specific per-database monitoring runs an anonymous search in the monitor database, but your ACLs disable anonymous access to the monitor database. That operation obviously needs to be privileged.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
Pierangelo Masarati wrote:
Turbo Fredriksson wrote:
Also, I have a problem getting 'cn=Monitor' running.
Oops, the internal operation that registers specific per-database monitoring runs an anonymous search in the monitor database, but your ACLs disable anonymous access to the monitor database. That operation obviously needs to be privileged.
Actually, the internal search is run as the rootdn, but you didn't configure any for the monitor database, while you should.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
Quoting Pierangelo Masarati ando@sys-net.it:
Pierangelo Masarati wrote:
Turbo Fredriksson wrote:
Also, I have a problem getting 'cn=Monitor' running.
Oops, the internal operation that registers specific per-database monitoring runs an anonymous search in the monitor database, but your ACLs disable anonymous access to the monitor database. That operation obviously needs to be privileged.
Actually, the internal search is run as the rootdn, but you didn't configure any for the monitor database, while you should.
I never liked that part, that's why I started using Kerberos (so i didn't have to have rootdn defined).
But can I have different 'rootdn' in my different places (need one for syncrepl to, right?) with random DN's (that don't exists) without any password defined in the config file?
Will any ACL's still be honored?
If I understand all this (we've had this discussion previously a while back - LOONG way back :) this is only for internal use, right?
Turbo Fredriksson wrote:
Quoting Pierangelo Masarati ando@sys-net.it:
Pierangelo Masarati wrote:
Turbo Fredriksson wrote:
Also, I have a problem getting 'cn=Monitor' running.
Oops, the internal operation that registers specific per-database monitoring runs an anonymous search in the monitor database, but your ACLs disable anonymous access to the monitor database. That operation obviously needs to be privileged.
Actually, the internal search is run as the rootdn, but you didn't configure any for the monitor database, while you should.
I never liked that part, that's why I started using Kerberos (so i didn't have to have rootdn defined).
But can I have different 'rootdn' in my different places (need one for syncrepl to, right?) with random DN's (that don't exists) without any password defined in the config file?
Will any ACL's still be honored?
If I understand all this (we've had this discussion previously a while back - LOONG way back :) this is only for internal use, right?
The rootdn is the rootdn. back-monitor uses it for the internal use I described earlier and for any other use a rootdn is good for. Of course, if you don't provide any means for anyone to authenticate as the rootdn (e.g. no rootpw and no means to map a SASL identity to the rootdn) it will only be used for internal purposes. "cn=Monitor" is just fine, you don't need any particularly fancy name.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
Quoting Pierangelo Masarati ando@sys-net.it:
Of course, if you don't provide any means for anyone to authenticate as the rootdn (e.g. no rootpw
Didn't know you could do that and still make it work, but I'll setup one then. Thanx!
openldap-software@openldap.org
-
Pierangelo Masarati -
Turbo Fredriksson