Philip Colmer wrote:
I've been asked to log & track changes made to our LDAP system. My initial thought was to use the auditlog overlay as it outputs to a text file, thus making it relatively straightforward to parse, but a 2009 discussion (http://www.openldap.org/lists/openldap-technical/200911/msg00092.html) suggested a potential problem, namely no logging of time and name for deletes.
Replies to that discussion suggested the use of accesslog instead. However, that logs to a database which isn't really what I'm after. A 2011 discussion (http://www.openldap.org/lists/openldap-technical/201104/msg00084.html) sought answers similar to the one I'm looking for now, namely is there a way of getting changes logged into a text file?
Run ldapsearch against the log database.
Or skip the flat text file altogether and just use the ldapsearch API - then you don't need to do any text-based parsing at all, the entry is already in an in-memory structure.
One of the replies (from Quanah) suggested ldap-stats.pl but I'm not looking for stats - I'm looking for the actual changes being made.
Since both of those discussions are quite old, I was wondering if there was any up-to-date advice regarding best practice for the sort of information I'm trying to capture?
Thanks.
Philip