Jan Prinsloo wrote:
I have a standalone openldap 2.4.26 setup.
You really should upgrade.
We would like to use the accesslog overlay for auditing.
This is a very good idea. Which costs some performance though.
I have enabled the accesslog overlay with olcAccessLogOps = all. This writes all groups of operations (writes, reads, session) to cn=accesslog without issues. We would also like to make use of the memberof overlay. The issue we're seeing is that once you enable the memberof overlay, only search, unbind, add operations are logged to accesslog. We do not see delete, modify, modrdn values logged. If I then change the logops to "olcAccessLogOps = add delete modify modrdn" we see those operations logged, but no bind, search, unbind operations (ie. no reads or session).
I'd suggest to first upgrade to a recent version.
After that you could try fiddling with the order of the overlays. Personally I've added slapo-memberof and slapo-refint *after* slapo-accesslog.
Ciao, Michael.