-----Ursprüngliche Nachricht----- Von: Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de Gesendet: Do 16.10.2014 13:46 Betreff: Q: accesslog and sessions An: openldap-technical@openldap.org;
Hi!
I have configured accesslog for modification (attempts) in a multi-master configuration. Comparing accesslogs after some changes, I find some issues (openLDAP 2.4.26 of SLES11 SP3):
On the originating server the "reqSession" varies with the connection made, while on a replication consumer the "reqSession" seems fixed (always 2 in one case).
'cause of replication.
Also on the originating server I see the authenticated DN in "reqAuthzID", while on the replication consumer it seems to be always "cn=Admin,dc=example,dc=org". "reqStart" and "reqEnd" are also local for the LDAP server.
'cause the repl consumer writes to the database as admin user.
Now at least I have a problem with "reqSession": If you examine accesslog at some later time, those volatile session IDs don't tell you anything anymore (e.g. the host that opened the connection). Could acesslog be modified to add some details from the session (like monitorConnectionPeerAddress, monitorConnectionStartTime)?
Regards, Ulrich Windl
This woule be a very nice feature, indeed.
Uwe Werler wrote:
-----Ursprüngliche Nachricht----- Von: Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de
Now at least I have a problem with "reqSession": If you examine accesslog at some later time, those volatile session IDs don't tell you anything anymore (e.g. the host that opened the connection). Could acesslog be modified to add some details from the session (like monitorConnectionPeerAddress, monitorConnectionStartTime)?
RTFM and turn on session logging.
This woule be a very nice feature, indeed.
Howard Chu hyc@symas.com schrieb am 16.10.2014 um 16:18 in Nachricht
Uwe Werler wrote:
-----Ursprüngliche Nachricht----- Von: Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de
Now at least I have a problem with "reqSession": If you examine accesslog
at
some later time, those volatile session IDs don't tell you anything
anymore
(e.g. the host that opened the connection). Could acesslog be modified to
add
some details from the session (like monitorConnectionPeerAddress, monitorConnectionStartTime)?
RTFM and turn on session logging.
Terse as always: You are referring to the log directive? If not, what are you referring to? What would your proposal change?
This woule be a very nice feature, indeed.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Howard Chu wrote:
Uwe Werler wrote:
-----Ursprüngliche Nachricht----- Von: Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de
Now at least I have a problem with "reqSession": If you examine accesslog at some later time, those volatile session IDs don't tell you anything anymore (e.g. the host that opened the connection). Could acesslog be modified to add some details from the session (like monitorConnectionPeerAddress, monitorConnectionStartTime)?
RTFM and turn on session logging.
AFAICS object class 'auditBind' does not have any attributes related to the client connection URI or client IP address.
If configured with parameter 'session_track_control' web2ldap sends the Session Tracking Control [1] with each request. This also appears in attribute 'reqControls' of the accesslog and contains the IP address of the client connected to web2ldap. This is only useful if the LDAP client is kind of a gateway though.
Ciao, Michael.
openldap-technical@openldap.org
-
Howard Chu -
Michael Ströder -
Ulrich Windl -
Uwe Werler