Sent: Fri Jun 15 2012 10:45:55 GMT-0400 (EDT)
From: Francesco Belli <Francesco.Belli@vegaspace.com>
To: openldap-technical@openldap.org <openldap-technical@openldap.org>
Subject: Access Log: dynamic configuration problems.
Hello everybody,
I'm using OpenLdap version 2.4.24  (4 Oct 2011) on a RedHat 6 machine. I use dynamic configuration and I'm having some problems setting up accesslog overlay. I didn't change the following file in etc/openldap/slapd.d/cn=config/ :
olcDatabase={-1}frontend.ldif
olcDatabase={0}config.ldif
olcDatabase={1}monitor.ldif

I moved olcDatabase={2}bdb.ldif to olcDatabase={3}bdb.ldif, in this way it is loaded after the access log database that is defined in the new olcDatabase={2}bdb.ldif

Here there are the two configuration files:

######### olcDatabase={2}bdb.ldif ###############
dn: olcDatabase={2}bdb
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap/accesslog/
olcSuffix: cn=accesslog
olcAccess: {0}to dn.subtree="cn=accesslog" by dn.exact="uid=manager,ou=Users,dc=domain,dc=com" manage by dn.exact="cn=config" read
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=accesslog
olcSizeLimit: unlimited
olcTimeLimit: unlimited
olcMonitoring: TRUE
olcDbCacheSize: 10000
olcDbCheckpoint: 64 5
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 10000
olcDbIndex: entryCSN eq
olcDbIndex: objectClass eq
olcDbIndex: reqEnd eq
olcDbIndex: reqResult eq
olcDbIndex: reqStart eq
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0

######### olcDatabase={3}bdb.ldif ###############
dn: olcDatabase={3}bdb
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {3}bdb
olcSuffix: dc=domain,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=Manager, dc=domain,dc=com
olcRootPW: pippopippo
olcSyncUseSubentry: FALSE
olcMonitoring: TRUE
olcDbDirectory: /var/lib/ldap
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 15
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: objectClass pres,eq
olcDbIndex: cn pres,eq,sub
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidNumber pres,eq
olcDbIndex: gidNumber pres,eq
olcDbIndex: mail pres,eq,sub
olcDbIndex: ou pres,eq,sub
olcDbIndex: loginShell pres,eq
olcDbIndex: sn pres,eq,sub
olcDbIndex: givenName pres,eq,sub
olcDbIndex: memberUid pres,eq,sub
olcDbIndex: nisMapName pres,eq,sub
olcDbIndex: nisMapEntry pres,eq,sub
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0
structuralObjectClass: olcBdbConfig
entryUUID: 9ef24df8-376a-1031-947f-692d47ac0213
creatorsName: cn=config
createTimestamp: 20120521082800Z
entryCSN: 20120521082800.652940Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20120521082800Z
olcOverlay: syncprov
olcSpCheckpoint: 50 10
olcSpSessionlog: 100
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
olcAccessLogPurge: 07+00:00 01+00:00

When I run slapd -d 1 I obtain the following error that makes slapd to terminate:

backend_startup_one: starting "cn=accesslog"
bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap/accesslog/: (2).
Expect poor performance for suffix "cn=accesslog".
bdb_db_open: database "cn=accesslog": dbenv_open(/var/lib/ldap/accesslog/).
backend_startup_one: starting "dc=domain,dc=com"
bdb_db_open: warning - no DB_CONFIG file found in directory /var/lib/ldap: (2).
Expect poor performance for suffix "dc=domain,dc=com".
bdb_db_open: database "dc=domain,dc=com": dbenv_open(/var/lib/ldap).
accesslog: "logdb <suffix>" missing or invalid.
backend_startup_one (type=bdb, suffix="dc=domain,dc=com"): bi_db_open failed! (1)
slapd shutdown: initiated

It seems that for some reason slapd doesn't like the olcAccessLogDB directive specified in olcDatabase={3}bdb.ldif. I tried some other configuration (I think that this is the more correct) but the problem is always there. 

Thanks for any help,
Francesco
And this is why you shouldnt be modifying those files by hand :-)
olcOverlay (and all the attributes you have listed after it) are not valid on an olcDatabaseConfig object. You need to create a subentries under that olcDatabase with objectClass=olcOverlayConfig.

Please see http://www.openldap.org/doc/admin24/replication.html for whatever type of replication youre doing.
Its called "dynamic configuration" for a reason. Shutting openldap down and messing with its config database files is not "dynamic configuration". You should be performing these changes while openldap is running through `ldapmodify` (or whatever tool you prefer). Then when you try and do invalid things like this, openldap will come back with an error telling you what went wrong.

-Patrick