Yes. Logging now continues to work after changes to config.
But - adding levels works on the fly, but removing them doesn't. For instance this works fine: olcLogLevel: stats
If I change it to "stats ACL" then the ACL data starts getting added to the log. No restart required. If I change it back to "stats" I keep getting ACL data until the directory is restarted.
Nick
On Wed, Sep 29, 2021 at 5:49 PM Quanah Gibson-Mount quanah@symas.com wrote:
--On Wednesday, September 29, 2021 9:17 AM -0400 Nick Folino nick@folino.us wrote:
I don't know what the expected results should be, but changing olcLogLevel while running causes all logging to the specified file to stop.
Logging starts with the new level upon restart.
This should now be fixed. :)
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Nick Folino wrote:
Yes. Logging now continues to work after changes to config.
But - adding levels works on the fly, but removing them doesn't. For instance this works fine: olcLogLevel: stats
If I change it to "stats ACL" then the ACL data starts getting added to the log. No restart required. If I change it back to "stats" I keep getting ACL data until the directory is restarted.
That's the normal way it has always worked. If you want to remove flags, you must first explicitly set it to zero, and then set your desired level in a subsequent Modify request.
Nick
On Wed, Sep 29, 2021 at 5:49 PM Quanah Gibson-Mount <quanah@symas.com mailto:quanah@symas.com> wrote:
--On Wednesday, September 29, 2021 9:17 AM -0400 Nick Folino <nick@folino.us <mailto:nick@folino.us>> wrote: > > I don't know what the expected results should be, but changing > olcLogLevel while running causes all logging to the specified file to > stop. > > Logging starts with the new level upon restart. This should now be fixed. :) --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>
Got it. Tested and working as you described. Thank you!
Nick
On Wed, Sep 29, 2021 at 6:53 PM Howard Chu hyc@symas.com wrote:
Nick Folino wrote:
Yes. Logging now continues to work after changes to config.
But - adding levels works on the fly, but removing them doesn't. For instance this works fine: olcLogLevel: stats
If I change it to "stats ACL" then the ACL data starts getting added to
the log. No restart required.
If I change it back to "stats" I keep getting ACL data until the
directory is restarted.
That's the normal way it has always worked. If you want to remove flags, you must first explicitly set it to zero, and then set your desired level in a subsequent Modify request.
Nick
On Wed, Sep 29, 2021 at 5:49 PM Quanah Gibson-Mount <quanah@symas.com
mailto:quanah@symas.com> wrote:
--On Wednesday, September 29, 2021 9:17 AM -0400 Nick Folino <nick@folino.us <mailto:nick@folino.us>> wrote: > > I don't know what the expected results should be, but changing > olcLogLevel while running causes all logging to the specified fileto
> stop. > > Logging starts with the new level upon restart. This should now be fixed. :) --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered byOpenLDAP:
<http://www.symas.com>-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
--On Thursday, September 30, 2021 12:53 AM +0100 Howard Chu hyc@symas.com wrote:
Nick Folino wrote:
Yes. Logging now continues to work after changes to config.
But - adding levels works on the fly, but removing them doesn't. For instance this works fine: olcLogLevel: stats
If I change it to "stats ACL" then the ACL data starts getting added to the log. No restart required. If I change it back to "stats" I keep getting ACL data until the directory is restarted.
That's the normal way it has always worked. If you want to remove flags, you must first explicitly set it to zero, and then set your desired level in a subsequent Modify request.
That is not the behavior I see in 2.4 or 2.5:
a) I start with loglevel stats, this is what is logged when I search:
Sep 30 01:30:53 ub18 slapd[5980]: conn=1000 fd=13 ACCEPT from PATH=/var/symas/run/ldapi (PATH=/var/symas/run/ldapi) Sep 30 01:30:53 ub18 slapd[5980]: conn=1000 op=0 BIND dn="" method=128 Sep 30 01:30:53 ub18 slapd[5980]: conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000103 etime=0.000254 text= Sep 30 01:30:53 ub18 slapd[5980]: conn=1000 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Sep 30 01:30:53 ub18 slapd[5980]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000065 etime=0.000389 nentries=1 text= Sep 30 01:30:53 ub18 slapd[5980]: conn=1000 op=2 UNBIND Sep 30 01:30:53 ub18 slapd[5980]: conn=1000 fd=13 closed
b) I do an ldapmodify to add olcLogLevel: acl
ldapmodify -x -H ldapi:/// -D cn=config -w secret
dn: cn=config changetype: modify add: olcLogLevel olcLogLevel: acl
Sep 30 01:31:12 ub18 slapd[5980]: conn=1001 fd=13 ACCEPT from PATH=/var/symas/run/ldapi (PATH=/var/symas/run/ldapi) Sep 30 01:31:12 ub18 slapd[5980]: conn=1001 op=0 BIND dn="cn=config" method=128 Sep 30 01:31:12 ub18 slapd[5980]: conn=1001 op=0 BIND dn="cn=config" mech=SIMPLE bind_ssf=0 ssf=71 Sep 30 01:31:12 ub18 slapd[5980]: conn=1001 op=0 RESULT tag=97 err=0 qtime=0.000054 etime=0.000739 text= Sep 30 01:31:26 ub18 slapd[5980]: conn=1001 op=1 MOD dn="cn=config" Sep 30 01:31:26 ub18 slapd[5980]: conn=1001 op=1 MOD attr=olcLogLevel Sep 30 01:31:26 ub18 slapd[5980]: <= acl_access_allowed: granted to database root Sep 30 01:31:26 ub18 slapd[5980]: conn=1001 op=1 RESULT tag=103 err=0 qtime=0.000160 etime=0.005237 text= Sep 30 01:31:27 ub18 slapd[5980]: conn=1001 op=2 UNBIND Sep 30 01:31:27 ub18 slapd[5980]: conn=1001 fd=13 closed
c) I do a search (now at loglevel stats + acl)
Sep 30 01:31:30 ub18 slapd[5980]: conn=1002 fd=13 ACCEPT from PATH=/var/symas/run/ldapi (PATH=/var/symas/run/ldapi) Sep 30 01:31:30 ub18 slapd[5980]: conn=1002 op=0 BIND dn="" method=128 Sep 30 01:31:30 ub18 slapd[5980]: conn=1002 op=0 RESULT tag=97 err=0 qtime=0.000023 etime=0.000063 text= Sep 30 01:31:30 ub18 slapd[5980]: conn=1002 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Sep 30 01:31:30 ub18 slapd[5980]: => access_allowed: search access to "" "objectClass" requested Sep 30 01:31:30 ub18 slapd[5980]: => slap_access_allowed: backend default search access granted to "(anonymous)" Sep 30 01:31:30 ub18 slapd[5980]: => access_allowed: search access granted by read(=rscxd) Sep 30 01:31:30 ub18 slapd[5980]: => access_allowed: read access to "" "entry" requested Sep 30 01:31:30 ub18 slapd[5980]: => slap_access_allowed: backend default read access granted to "(anonymous)" Sep 30 01:31:30 ub18 slapd[5980]: => access_allowed: read access granted by read(=rscxd) Sep 30 01:31:30 ub18 slapd[5980]: => access_allowed: result not in cache (objectClass) Sep 30 01:31:30 ub18 slapd[5980]: => access_allowed: read access to "" "objectClass" requested Sep 30 01:31:30 ub18 slapd[5980]: => slap_access_allowed: backend default read access granted to "(anonymous)" Sep 30 01:31:30 ub18 slapd[5980]: => access_allowed: read access granted by read(=rscxd) Sep 30 01:31:30 ub18 slapd[5980]: => access_allowed: result was in cache (objectClass) Sep 30 01:31:30 ub18 slapd[5980]: conn=1002 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000021 etime=0.000294 nentries=1 text= Sep 30 01:31:30 ub18 slapd[5980]: conn=1002 op=2 UNBIND Sep 30 01:31:30 ub18 slapd[5980]: conn=1002 fd=13 closed
d) I do an ldapmodify to *only* remove ACL level logging (so at loglevel stats at the end):
ldapmodify -x -H ldapi:/// -D cn=config -w secret dn: cn=config changetype: modify delete: olcLogLevel olcLogLevel: acl
Sep 30 01:31:36 ub18 slapd[5980]: conn=1003 fd=13 ACCEPT from PATH=/var/symas/run/ldapi (PATH=/var/symas/run/ldapi) Sep 30 01:31:36 ub18 slapd[5980]: conn=1003 op=0 BIND dn="cn=config" method=128 Sep 30 01:31:36 ub18 slapd[5980]: conn=1003 op=0 BIND dn="cn=config" mech=SIMPLE bind_ssf=0 ssf=71 Sep 30 01:31:36 ub18 slapd[5980]: fe_op_lastbind: old pwdLastSuccess value=20210930013112Z 24s ago Sep 30 01:31:36 ub18 slapd[5980]: <= acl_access_allowed: granted to database root Sep 30 01:31:36 ub18 slapd[5980]: <= acl_access_allowed: granted to database root Sep 30 01:31:36 ub18 slapd[5980]: conn=1003 op=0 RESULT tag=97 err=0 qtime=0.000066 etime=0.001535 text= Sep 30 01:31:48 ub18 slapd[5980]: conn=1003 op=1 MOD dn="cn=config" Sep 30 01:31:48 ub18 slapd[5980]: conn=1003 op=1 MOD attr=olcLogLevel Sep 30 01:31:48 ub18 slapd[5980]: <= acl_access_allowed: granted to database root Sep 30 01:31:48 ub18 slapd[5980]: conn=1003 op=1 RESULT tag=103 err=0 qtime=0.000097 etime=0.001499 text= Sep 30 01:31:49 ub18 slapd[5980]: conn=1003 op=2 UNBIND Sep 30 01:31:49 ub18 slapd[5980]: conn=1003 fd=13 closed
e) I do an ldapsearch (so at loglevel stats):
Sep 30 01:31:52 ub18 slapd[5980]: conn=1004 fd=13 ACCEPT from PATH=/var/symas/run/ldapi (PATH=/var/symas/run/ldapi) Sep 30 01:31:52 ub18 slapd[5980]: conn=1004 op=0 BIND dn="" method=128 Sep 30 01:31:52 ub18 slapd[5980]: conn=1004 op=0 RESULT tag=97 err=0 qtime=0.000083 etime=0.000179 text= Sep 30 01:31:52 ub18 slapd[5980]: conn=1004 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Sep 30 01:31:52 ub18 slapd[5980]: conn=1004 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000176 etime=0.000428 nentries=1 text= Sep 30 01:31:52 ub18 slapd[5980]: conn=1004 op=2 UNBIND Sep 30 01:31:52 ub18 slapd[5980]: conn=1004 fd=13 closed
Zero need to restart slapd or use a replace op to reset the logging.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount wrote:
--On Thursday, September 30, 2021 12:53 AM +0100 Howard Chu hyc@symas.com wrote:
Nick Folino wrote:
Yes. Logging now continues to work after changes to config.
But - adding levels works on the fly, but removing them doesn't. For instance this works fine: olcLogLevel: stats
If I change it to "stats ACL" then the ACL data starts getting added to the log. No restart required. If I change it back to "stats" I keep getting ACL data until the directory is restarted.
That's the normal way it has always worked. If you want to remove flags, you must first explicitly set it to zero, and then set your desired level in a subsequent Modify request.
That is not the behavior I see in 2.4 or 2.5:
The code has been like that since 2007.
dda5e199043 (Howard Chu 2007-05-05 01:22:29 +0000 4038) /* Explicitly setting a zero clears all the levels */ dda5e199043 (Howard Chu 2007-05-05 01:22:29 +0000 4039) if ( level ) dda5e199043 (Howard Chu 2007-05-05 01:22:29 +0000 4040) config_syslog |= level; dda5e199043 (Howard Chu 2007-05-05 01:22:29 +0000 4041) else dda5e199043 (Howard Chu 2007-05-05 01:22:29 +0000 4042) config_syslog = 0;
On Sep 29, 2021, at 8:09 PM, Howard Chu hyc@symas.com wrote:
Quanah Gibson-Mount wrote:
--On Thursday, September 30, 2021 12:53 AM +0100 Howard Chu hyc@symas.com wrote:
Nick Folino wrote:
Yes. Logging now continues to work after changes to config.
But - adding levels works on the fly, but removing them doesn't. For instance this works fine: olcLogLevel: stats
If I change it to "stats ACL" then the ACL data starts getting added to the log. No restart required. If I change it back to "stats" I keep getting ACL data until the directory is restarted.
That's the normal way it has always worked. If you want to remove flags, you must first explicitly set it to zero, and then set your desired level in a subsequent Modify request.
That is not the behavior I see in 2.4 or 2.5:
The code has been like that since 2007.
dda5e199043 (Howard Chu 2007-05-05 01:22:29 +0000 4038) /* Explicitly setting a zero clears all the levels */ dda5e199043 (Howard Chu 2007-05-05 01:22:29 +0000 4039) if ( level ) dda5e199043 (Howard Chu 2007-05-05 01:22:29 +0000 4040) config_syslog |= level; dda5e199043 (Howard Chu 2007-05-05 01:22:29 +0000 4041) else dda5e199043 (Howard Chu 2007-05-05 01:22:29 +0000 4042) config_syslog = 0;
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
This is not the way it works for loglevel, is the point. The current behavior is a regression vs 2.5 and 2.4.
--On Wednesday, September 29, 2021 7:36 PM -0400 Nick Folino nick@folino.us wrote:
Yes. Logging now continues to work after changes to config.
But - adding levels works on the fly, but removing them doesn't. For instance this works fine: olcLogLevel: stats
If I change it to "stats ACL" then the ACL data starts getting added to the log. No restart required. If I change it back to "stats" I keep getting ACL data until the directory is restarted.
This should now be fixed.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Howard Chu -
Nick Folino -
Quanah Gibson-Mount