Hello!
I have configured accesslog to log all changes to an LDAP server, and that seems to work for months. Recently I noticed that that there wee no new entries for more than a week. Usually there are several entries per day, because with password policy every bad login attempt is logged. As we have three multi-master servers, I wonder whether changes made to other servers and replicated to the local server will be logged by accesslog also. Are the password policy updates (which are somewhat special) also replicated to all servers?
As a matter of fact, I got some new entries today (as if the system knew I wanted to report the problem today ;-))
But he first entry for this month was stamped "20160413051836.000002Z", so there were no entries for almost two weeks. The server has connections from 9 clients with each client having 1 to 64 connections to the server open (so the server does not seem to be very idle).
Can anybody share some insights on that? As we use BDB for accesslog, I had a look yesterday, and the "*.bdb" files had an "old date", while the redo log and the "__db.*" files had a current date. I learned that changes done to a file via mmap() doesn't update the modification time of the file on Linux, so maybe the file date doesn't say much. At least the redo log's timestamp of the main database seems to match that of the acesslog database (which seems good).
Regards, Ulrich
--On Thursday, April 14, 2016 9:25 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
Hello!
I have configured accesslog to log all changes to an LDAP server, and that seems to work for months. Recently I noticed that that there wee no new entries for more than a week. Usually there are several entries per day, because with password policy every bad login attempt is logged. As we have three multi-master servers, I wonder whether changes made to other servers and replicated to the local server will be logged by accesslog also. Are the password policy updates (which are somewhat special) also replicated to all servers?
Have you read over the slapo-ppolicy(5) man page?
The "OPERATIONAL ATTRIBUTES" section is interesting. I can't tell how it's supposed to operate in an MMR environment.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
Quanah Gibson-Mount quanah@zimbra.com schrieb am 15.04.2016 um 03:40 in
Nachricht <92BBFC2841F84321102D00F6@[192.168.1.19]>:
--On Thursday, April 14, 2016 9:25 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
Hello!
I have configured accesslog to log all changes to an LDAP server, and that seems to work for months. Recently I noticed that that there wee no new entries for more than a week. Usually there are several entries per day, because with password policy every bad login attempt is logged. As we have three multi-master servers, I wonder whether changes made to other servers and replicated to the local server will be logged by accesslog also. Are the password policy updates (which are somewhat special) also replicated to all servers?
Have you read over the slapo-ppolicy(5) man page?
You answered a question with a question; from what I read it should be replicated in a MMR environment: -- Note that the current IETF Password Policy proposal does not define how these operational attributes are expected to behave in a replication environment. In general, authentication attempts on a slave server only affect the copy of the operational attributes on that slave and will not affect any attributes for a user's entry on the master server. Operational attribute changes resulting from authentication attempts on a master server will usually replicate to the slaves (and also over- write any changes that originated on the slave). These behaviors are not guaranteed and are subject to change when a formal specification emerges. --
From my understanding changes to one master shopuld be replicated to other masters.
Open is the question whether there is any special treatment of ppolicy entries for accesslog.
Regards, Ulrich
<http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&a... 0&manpath=OpenLDAP+2.4-Release&format=html>
The "OPERATIONAL ATTRIBUTES" section is interesting. I can't tell how it's supposed to operate in an MMR environment.
So maybe read the manual also ;-)
Ulrich
Quanah Gibson-Mount wrote:
--On Thursday, April 14, 2016 9:25 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
I have configured accesslog to log all changes to an LDAP server, and that seems to work for months. Recently I noticed that that there wee no new entries for more than a week. Usually there are several entries per day, because with password policy every bad login attempt is logged. As we have three multi-master servers, I wonder whether changes made to other servers and replicated to the local server will be logged by accesslog also. Are the password policy updates (which are somewhat special) also replicated to all servers?
Have you read over the slapo-ppolicy(5) man page?
The "OPERATIONAL ATTRIBUTES" section is interesting. I can't tell how it's supposed to operate in an MMR environment.
Probably Ulrich is referring to the internal write operations sent by slapo-ppolicy setting attribute 'pwdFailureTime'. Those are indeed also written to accesslog database. I also use this to detect failed logins in case I don't want to log all bind operations.
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder -
Quanah Gibson-Mount -
Ulrich Windl