Jan Prinsloo wrote:
I have a standalone openldap 2.4.26 setup.
You really should upgrade.
We would like to use the accesslog overlay for auditing.
This is a very good idea. Which costs some performance though.
I have enabled the accesslog overlay with olcAccessLogOps = all.
writes all groups of operations (writes, reads, session) to cn=accesslog
without issues. We would also like to make use of the memberof overlay. The
issue we're seeing is that once you enable the memberof overlay, only
search, unbind, add operations are logged to accesslog. We do not see
delete, modify, modrdn values logged. If I then change the logops to
"olcAccessLogOps = add delete modify modrdn" we see those operations
logged, but no bind, search, unbind operations (ie. no reads or session).
I'd suggest to first upgrade to a recent version.
After that you could try fiddling with the order of the overlays. Personally
I've added slapo-memberof and slapo-refint *after* slapo-accesslog.