I have tied in a few things such as openid-ldap and openfire to use my ldap backend for authentication. I am wondering if it is possible to collect error logs for any invalid attempt that a user tries with these various applications. Rather than handling it at the application level, can I get openldap to log these events? If so, can someone point me to a link that explains it?
Thanks, John
Am Wed, 02 Feb 2011 19:43:27 +0100 schrieb John Espiro john_espiro@yahoo.com:
I have tied in a few things such as openid-ldap and openfire to use my ldap backend for authentication. I am wondering if it is possible to collect error logs for any invalid attempt that a user tries with these various applications. Rather than handling it at the application level, can I get openldap to log these events? If so, can someone point me to a link that explains it?
OpenLDAP logs to local4, thus you may configure syslog to print slapd logs to a particular logfile. Next set a decent loglevel, stats or acl, grep slapd.log for err=49
-Dieter
On 2/2/2011 8:13 PM, Dieter Kluenter wrote:
Am Wed, 02 Feb 2011 19:43:27 +0100 schrieb John Espiro john_espiro@yahoo.com:
I have tied in a few things such as openid-ldap and openfire to use my ldap backend for authentication. I am wondering if it is possible to collect error logs for any invalid attempt that a user tries with these various applications. Rather than handling it at the application level, can I get openldap to log these events? If so, can someone point me to a link that explains it?
OpenLDAP logs to local4, thus you may configure syslog to print slapd logs to a particular logfile. Next set a decent loglevel, stats or acl, grep slapd.log for err=49
-Dieter
Thanks for this, it makes sense. Where do I put the loglevel paramter? I don't have a slapd.conf, but I do have /etc/ldap.conf -- but putting it in there doesn't seem to have any effect.
John,
Are you attempting to log on a client?
- chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Wed Feb 02 12:48:00 2011 Subject: Re: Logging to syslog
On 2/2/2011 8:13 PM, Dieter Kluenter wrote:
Am Wed, 02 Feb 2011 19:43:27 +0100 schrieb John Espiro john_espiro@yahoo.com:
I have tied in a few things such as openid-ldap and openfire to use my ldap backend for authentication. I am wondering if it is possible to collect error logs for any invalid attempt that a user tries with these various applications. Rather than handling it at the application level, can I get openldap to log these events? If so, can someone point me to a link that explains it?
OpenLDAP logs to local4, thus you may configure syslog to print slapd logs to a particular logfile. Next set a decent loglevel, stats or acl, grep slapd.log for err=49
-Dieter
Thanks for this, it makes sense. Where do I put the loglevel paramter? I don't have a slapd.conf, but I do have /etc/ldap.conf -- but putting it in there doesn't seem to have any effect.
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
On 2/2/2011 8:13 PM, Dieter Kluenter wrote:
Am Wed, 02 Feb 2011 19:43:27 +0100 schrieb John Espiro john_espiro@yahoo.com:
I have tied in a few things such as openid-ldap and openfire to use my ldap backend for authentication. I am wondering if it is possible to collect error logs for any invalid attempt that a user tries with these various applications. Rather than handling it at the application level, can I get openldap to log these events? If so, can someone point me to a link that explains it?
OpenLDAP logs to local4, thus you may configure syslog to print slapd logs to a particular logfile. Next set a decent loglevel, stats or acl, grep slapd.log for err=49
-Dieter
Thanks for this, it makes sense. Where do I put the loglevel paramter? I don't have a slapd.conf, but I do have /etc/ldap.conf -- but putting it in there doesn't seem to have any effect.
John
You have to configure syslog.conf file, most of the times is located in /etc
There, you have to add line something like that (just an example):
local4.* -/var/log/my_ldap_erros.log
Then reload syslog process
Manuel R.H.
Correo protegido por La Poste (INSYS S.A. de C.V)
On 2/2/2011 9:05 PM, Manuel Rodríguez Hernández wrote:
John
You have to configure syslog.conf file, most of the times is located in /etc
There, you have to add line something like that (just an example):
local4.* -/var/log/my_ldap_erros.log
Then reload syslog process
Manuel R.H.
Yep, got that... thanks. But where do I set the loglevel? My installation of openldap on ubuntu, doesn't have a slapd.conf.
John
Am Wed, 02 Feb 2011 21:35:38 +0100 schrieb John Espiro john_espiro@yahoo.com:
On 2/2/2011 9:05 PM, Manuel Rodríguez Hernández wrote:
John
You have to configure syslog.conf file, most of the times is located in /etc
There, you have to add line something like that (just an example):
local4.* -/var/log/my_ldap_erros.log
Then reload syslog process
Manuel R.H.
Yep, got that... thanks. But where do I set the loglevel? My installation of openldap on ubuntu, doesn't have a slapd.conf.
Ubuntu uses cn=config, this database can be modified by means of ldap protocol, you may use ldapmodify in order to modify the config database. I have written a little perl script to modify loglevel it can be found here: http://pastebin.de/14489
-Dieter
On Wednesday, 2 February 2011 21:48:00 John Espiro wrote:
On 2/2/2011 8:13 PM, Dieter Kluenter wrote:
Am Wed, 02 Feb 2011 19:43:27 +0100
schrieb John Espiro john_espiro@yahoo.com:
I have tied in a few things such as openid-ldap and openfire to use my ldap backend for authentication. I am wondering if it is possible to collect error logs for any invalid attempt that a user tries with these various applications. Rather than handling it at the application level, can I get openldap to log these events? If so, can someone point me to a link that explains it?
OpenLDAP logs to local4, thus you may configure syslog to print slapd logs to a particular logfile. Next set a decent loglevel, stats or acl, grep slapd.log for err=49
-Dieter
Thanks for this, it makes sense. Where do I put the loglevel paramter? I don't have a slapd.conf, but I do have /etc/ldap.conf -- but putting it in there doesn't seem to have any effect.
1)Please see your distributions documentation for how they configure OpenLDAP by default.
2)If I were to guess (since you didn't supply much useful information, such as whether this is Ubuntu, Fedora, or RHEL6), it would be that you should read 'man slapd-config' and search for olcLoglevel, and that you may have an /etc/ldap/slapd.d or /etc/openldap/slapd.d directory (which you shouldn't modify, slapd is supposed to do that), you *may* be able to modify this by default over the "wire" with with a SASL EXTERNAL bind to the URI ldapi:/// as the root user.
So, this may work:
# echo -e 'URI ldapi:///\nSASL_MECH EXTERNAL' > ~/.ldaprc # echo -e 'dn: cn=config\nreplace: olcLogLevel\nolcLogLevel: stats'|ldapmodify
Or not.
But, they should have made this abundantly clear to you.
(I personally feel that distributions defaulting to back-config at present is premature, or under-documented in the distribution.)
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Chris Jacobs -
Dieter Kluenter -
John Espiro -
Manuel Rodríguez Hernández