Hi, For each LDAP BIND Operation, SLDAP Server logs a significant amount of logs (> 10 Log Lines). Is there a way to silence or redirect or configure these logs or BIND Operation itself?
Thanks, Teja
--On Tuesday, February 22, 2022 12:23 AM +0000 vtejaswini1@gmail.com wrote:
Hi, For each LDAP BIND Operation, SLDAP Server logs a significant amount of logs (> 10 Log Lines). Is there a way to silence or redirect or configure these logs or BIND Operation itself?
Sounds like there is something wrong with your system. I see only 2 lines for a BIND operation. Example connection:
2022-02-22T17:19:16.578010+00:00 ub18 slapd[1302]: conn=1020 fd=15 ACCEPT from PATH=/var/symas/run/ldapi (PATH=/var/symas/run/ldapi) 2022-02-22T17:19:16.578563+00:00 ub18 slapd[1302]: conn=1020 op=0 BIND dn="cn=config" method=128 2022-02-22T17:19:16.578870+00:00 ub18 slapd[1302]: conn=1020 op=0 BIND dn="cn=config" mech=SIMPLE bind_ssf=0 ssf=71 2022-02-22T17:19:16.579127+00:00 ub18 slapd[1302]: conn=1020 op=0 RESULT tag=97 err=0 qtime=0.000052 etime=0.000341 text= 2022-02-22T17:19:16.579368+00:00 ub18 slapd[1302]: conn=1020 op=1 SRCH base="cn=subschema" scope=0 deref=0 filter="(objectClass=*)" 2022-02-22T17:19:16.579614+00:00 ub18 slapd[1302]: conn=1020 op=1 SRCH attr=+ 2022-02-22T17:19:16.583697+00:00 ub18 slapd[1302]: conn=1020 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000054 etime=0.005981 nentries=1 text= 2022-02-22T17:19:16.588143+00:00 ub18 slapd[1302]: conn=1020 op=2 UNBIND 2022-02-22T17:19:16.588630+00:00 ub18 slapd[1302]: conn=1020 fd=15 closed
I'm running a process to get the metrics from LDAP Server that authenticates in turn triggers the BIND Operation.
Each time, I try to get metrics, I see below logs:
610aa641 conn=1136 op=0 BIND dn="cn=monitoruser,dc=la,dc=myapplication,dc=myorg" mech=EXTERNAL sasl_ssf=0 ssf=256 610aa641 conn=1136 op=0 RESULT tag=97 err=0 text= 610aa641 conn=1136 op=1 SRCH base="cn=Operations,cn=Monitor" scope=3 deref=0 filter="(objectClass=*)" 610aa641 conn=1136 op=1 SRCH attr=* + 610aa641 conn=1136 op=1 SEARCH RESULT tag=101 err=0 nentries=10 text= 610aa641 conn=1136 op=2 UNBIND 610aa641 conn=1136 fd=17 closed 610aa647 conn=1140 fd=17 ACCEPT from IP=10.1.143.195:56840 (IP=0.0.0.0:1636) TLS: can't accept: error:1408F09C:SSL routines:ssl3_get_record:http request. 610aa647 conn=1140 fd=17 closed (TLS negotiation failure) 610aa650 conn=1146 fd=17 ACCEPT from IP=10.1.16.57:44886 (IP=0.0.0.0:1636) 610aa650 conn=1146 fd=17 TLS established tls_ssf=256 ssf=256 610aa650 conn=1146 op=0 BIND dn="" method=163 610aa650 conn=1146 op=0 BIND authcid="cn=monitoruser" authzid="cn=monitoruser" 610aa650 conn=1146 op=0 BIND dn="cn=monitoruser,dc=la,dc=myapplication,dc=myorg" mech=EXTERNAL sasl_ssf=0 ssf=256 610aa650 conn=1146 op=0 RESULT tag=97 err=0 text= 610aa650 conn=1146 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.3 610aa650 conn=1146 op=1 WHOAMI 610aa650 conn=1146 op=1 RESULT oid= err=0 text= 610aa650 conn=1146 op=2 UNBIND 610aa650 conn=1146 fd=17 closed 610aa650 conn=1147 fd=17 ACCEPT from IP=10.1.61.55:44890 (IP=0.0.0.0:1636) 610aa650 conn=1147 fd=17 TLS established tls_ssf=256 ssf=256 610aa650 conn=1147 op=0 BIND dn="" method=163 610aa650 conn=1147 op=0 BIND authcid="cn=monitoruser" authzid="cn=monitoruser"
Is there a way to silence these logs for the monitoruser or just enable them when debugging the system?
Would appreciate any ideas/workarounds on this subject.
Thanks! Teja
--On Wednesday, February 23, 2022 4:34 PM +0000 vtejaswini1@gmail.com wrote:
I'm running a process to get the metrics from LDAP Server that authenticates in turn triggers the BIND Operation.
Each time, I try to get metrics, I see below logs:
Is there a way to silence these logs for the monitoruser or just enable them when debugging the system?
You can change the loglevel to "none" instead of "stats" if you don't want logs generated.
--Quanah
I would like to have lower-level logs for troubleshooting i.e. when I configure LDAP at debug log-level. Can we move the log messages that I highlighted in my earlier response to debug log-level? If not debugging, then general logs for information and security audit are sufficient to expose. What do you say?
/Teja
--On Wednesday, February 23, 2022 9:26 PM +0000 vtejaswini1@gmail.com wrote:
I would like to have lower-level logs for troubleshooting i.e. when I configure LDAP at debug log-level. Can we move the log messages that I highlighted in my earlier response to debug log-level? If not debugging, then general logs for information and security audit are sufficient to expose. What do you say?
I think OpenLDAP ships with a variety of loglevels and debug levels, and you should find what works for your environment. Disk space is generally cheap and I generally prefer to have stats+sync logging on at all times so that I can troubleshoot issues when they occur and generate useful information from the logs.
--Quanah
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
vtejaswini1@gmail.com