Re: OpenLDAP 2.6.0 testing call

--On Thursday, September 30, 2021 12:53 AM +0100 Howard Chu hyc@symas.com wrote:

Nick Folino wrote:

...

Yes.  Logging now continues to work after changes to config.

But - adding levels works on the fly, but removing them doesn't. For instance this works fine:      olcLogLevel: stats

If I change it to "stats ACL" then the ACL data starts getting added to the log.  No restart required. If I change it back to "stats" I keep getting ACL data until the directory is restarted.

That's the normal way it has always worked. If you want to remove flags, you must first explicitly set it to zero, and then set your desired level in a subsequent Modify request.

That is not the behavior I see in 2.4 or 2.5:

a) I start with loglevel stats, this is what is logged when I search:

Sep 30 01:30:53 ub18 slapd[5980]: conn=1000 fd=13 ACCEPT from PATH=/var/symas/run/ldapi (PATH=/var/symas/run/ldapi) Sep 30 01:30:53 ub18 slapd[5980]: conn=1000 op=0 BIND dn="" method=128 Sep 30 01:30:53 ub18 slapd[5980]: conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000103 etime=0.000254 text= Sep 30 01:30:53 ub18 slapd[5980]: conn=1000 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Sep 30 01:30:53 ub18 slapd[5980]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000065 etime=0.000389 nentries=1 text= Sep 30 01:30:53 ub18 slapd[5980]: conn=1000 op=2 UNBIND Sep 30 01:30:53 ub18 slapd[5980]: conn=1000 fd=13 closed

b) I do an ldapmodify to add olcLogLevel: acl

ldapmodify -x -H ldapi:/// -D cn=config -w secret

dn: cn=config changetype: modify add: olcLogLevel olcLogLevel: acl

Sep 30 01:31:12 ub18 slapd[5980]: conn=1001 fd=13 ACCEPT from PATH=/var/symas/run/ldapi (PATH=/var/symas/run/ldapi) Sep 30 01:31:12 ub18 slapd[5980]: conn=1001 op=0 BIND dn="cn=config" method=128 Sep 30 01:31:12 ub18 slapd[5980]: conn=1001 op=0 BIND dn="cn=config" mech=SIMPLE bind_ssf=0 ssf=71 Sep 30 01:31:12 ub18 slapd[5980]: conn=1001 op=0 RESULT tag=97 err=0 qtime=0.000054 etime=0.000739 text= Sep 30 01:31:26 ub18 slapd[5980]: conn=1001 op=1 MOD dn="cn=config" Sep 30 01:31:26 ub18 slapd[5980]: conn=1001 op=1 MOD attr=olcLogLevel Sep 30 01:31:26 ub18 slapd[5980]: <= acl_access_allowed: granted to database root Sep 30 01:31:26 ub18 slapd[5980]: conn=1001 op=1 RESULT tag=103 err=0 qtime=0.000160 etime=0.005237 text= Sep 30 01:31:27 ub18 slapd[5980]: conn=1001 op=2 UNBIND Sep 30 01:31:27 ub18 slapd[5980]: conn=1001 fd=13 closed

c) I do a search (now at loglevel stats + acl)

Sep 30 01:31:30 ub18 slapd[5980]: conn=1002 fd=13 ACCEPT from PATH=/var/symas/run/ldapi (PATH=/var/symas/run/ldapi) Sep 30 01:31:30 ub18 slapd[5980]: conn=1002 op=0 BIND dn="" method=128 Sep 30 01:31:30 ub18 slapd[5980]: conn=1002 op=0 RESULT tag=97 err=0 qtime=0.000023 etime=0.000063 text= Sep 30 01:31:30 ub18 slapd[5980]: conn=1002 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Sep 30 01:31:30 ub18 slapd[5980]: => access_allowed: search access to "" "objectClass" requested Sep 30 01:31:30 ub18 slapd[5980]: => slap_access_allowed: backend default search access granted to "(anonymous)" Sep 30 01:31:30 ub18 slapd[5980]: => access_allowed: search access granted by read(=rscxd) Sep 30 01:31:30 ub18 slapd[5980]: => access_allowed: read access to "" "entry" requested Sep 30 01:31:30 ub18 slapd[5980]: => slap_access_allowed: backend default read access granted to "(anonymous)" Sep 30 01:31:30 ub18 slapd[5980]: => access_allowed: read access granted by read(=rscxd) Sep 30 01:31:30 ub18 slapd[5980]: => access_allowed: result not in cache (objectClass) Sep 30 01:31:30 ub18 slapd[5980]: => access_allowed: read access to "" "objectClass" requested Sep 30 01:31:30 ub18 slapd[5980]: => slap_access_allowed: backend default read access granted to "(anonymous)" Sep 30 01:31:30 ub18 slapd[5980]: => access_allowed: read access granted by read(=rscxd) Sep 30 01:31:30 ub18 slapd[5980]: => access_allowed: result was in cache (objectClass) Sep 30 01:31:30 ub18 slapd[5980]: conn=1002 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000021 etime=0.000294 nentries=1 text= Sep 30 01:31:30 ub18 slapd[5980]: conn=1002 op=2 UNBIND Sep 30 01:31:30 ub18 slapd[5980]: conn=1002 fd=13 closed

d) I do an ldapmodify to *only* remove ACL level logging (so at loglevel stats at the end):

ldapmodify -x -H ldapi:/// -D cn=config -w secret dn: cn=config changetype: modify delete: olcLogLevel olcLogLevel: acl

Sep 30 01:31:36 ub18 slapd[5980]: conn=1003 fd=13 ACCEPT from PATH=/var/symas/run/ldapi (PATH=/var/symas/run/ldapi) Sep 30 01:31:36 ub18 slapd[5980]: conn=1003 op=0 BIND dn="cn=config" method=128 Sep 30 01:31:36 ub18 slapd[5980]: conn=1003 op=0 BIND dn="cn=config" mech=SIMPLE bind_ssf=0 ssf=71 Sep 30 01:31:36 ub18 slapd[5980]: fe_op_lastbind: old pwdLastSuccess value=20210930013112Z 24s ago Sep 30 01:31:36 ub18 slapd[5980]: <= acl_access_allowed: granted to database root Sep 30 01:31:36 ub18 slapd[5980]: <= acl_access_allowed: granted to database root Sep 30 01:31:36 ub18 slapd[5980]: conn=1003 op=0 RESULT tag=97 err=0 qtime=0.000066 etime=0.001535 text= Sep 30 01:31:48 ub18 slapd[5980]: conn=1003 op=1 MOD dn="cn=config" Sep 30 01:31:48 ub18 slapd[5980]: conn=1003 op=1 MOD attr=olcLogLevel Sep 30 01:31:48 ub18 slapd[5980]: <= acl_access_allowed: granted to database root Sep 30 01:31:48 ub18 slapd[5980]: conn=1003 op=1 RESULT tag=103 err=0 qtime=0.000097 etime=0.001499 text= Sep 30 01:31:49 ub18 slapd[5980]: conn=1003 op=2 UNBIND Sep 30 01:31:49 ub18 slapd[5980]: conn=1003 fd=13 closed

e) I do an ldapsearch (so at loglevel stats):

Sep 30 01:31:52 ub18 slapd[5980]: conn=1004 fd=13 ACCEPT from PATH=/var/symas/run/ldapi (PATH=/var/symas/run/ldapi) Sep 30 01:31:52 ub18 slapd[5980]: conn=1004 op=0 BIND dn="" method=128 Sep 30 01:31:52 ub18 slapd[5980]: conn=1004 op=0 RESULT tag=97 err=0 qtime=0.000083 etime=0.000179 text= Sep 30 01:31:52 ub18 slapd[5980]: conn=1004 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Sep 30 01:31:52 ub18 slapd[5980]: conn=1004 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000176 etime=0.000428 nentries=1 text= Sep 30 01:31:52 ub18 slapd[5980]: conn=1004 op=2 UNBIND Sep 30 01:31:52 ub18 slapd[5980]: conn=1004 fd=13 closed

Zero need to restart slapd or use a replace op to reset the logging.

--Quanah

--

Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com