On Tue, Jun 25, 2019 at 07:33:59PM +0200, Michael Ströder wrote:
On 6/25/19 7:08 PM, Quanah Gibson-Mount wrote:
Another way to do this would be to set up an accesslog database backend and the slapo-accesslog overlay on your primary DB, and log all operations (not just success). This would also allow you to inspect what values the client is providing.
AFAIK this only helps if the modify request reaches the backend.
Sure, but most reasons it doesn't reach the overlay should be logger already.
If the slapd frontend already rejects a request (e.g. invalid DN or schema violation) there is no auditModify entry to look at.
For an otherwise LDAP conformant modify PDU with no controls attached, only an invalid DN/invalid attribute name would make that happen and I'd hope both generate useful messages in the response (preferably) or at least in the relevant logs.
Regards,