On Tue, Jun 25, 2019 at 07:33:59PM +0200, Michael Ströder wrote:
On 6/25/19 7:08 PM, Quanah Gibson-Mount wrote:
> Another way to do this would be to set up an accesslog database backend
> and the slapo-accesslog overlay on your primary DB, and log all
> operations (not just success). This would also allow you to inspect
> what values the client is providing.
AFAIK this only helps if the modify request reaches the backend.
Sure, but most reasons it doesn't reach the overlay should be logger
already.
If the slapd frontend already rejects a request (e.g. invalid DN or
schema violation) there is no auditModify entry to look at.
For an otherwise LDAP conformant modify PDU with no controls attached,
only an invalid DN/invalid attribute name would make that happen and I'd
hope both generate useful messages in the response (preferably) or at
least in the relevant logs.
Regards,
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation
http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP