I'm trying to configure a means to be able to get the lastlogin time for users in my environment. However, since I'm stuck using the RHEL version of OpenLDAP I can't take advantage of the "lastbind overlay"
Here's my config.
overlay accesslog logdb cn=accesslog logops bind logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 90 days logpurge 90+00:00 01+00:00
The accesslog DB is populated and I can query for BIND operations, however the only BIND operations that get recorded are BINDS to the LDAP server itself. BINDS to clients do not get recorded in the accesslog. Is this the advertised behavior of the accesslog?
-Mike
Am Tue, 11 Feb 2014 23:56:23 -0500 schrieb Michael mlstarling31@hotmail.com:
I'm trying to configure a means to be able to get the lastlogin time for users in my environment. However, since I'm stuck using the RHEL version of OpenLDAP I can't take advantage of the "lastbind overlay"
Here's my config.
overlay accesslog logdb cn=accesslog logops bind logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 90 days logpurge 90+00:00 01+00:00
The accesslog DB is populated and I can query for BIND operations, however the only BIND operations that get recorded are BINDS to the LDAP server itself. BINDS to clients do not get recorded in the accesslog. Is this the advertised behavior of the accesslog?
Yes, slapd has no knowledge of the system environment.
-Dieter
On Feb 12, 2014, at 3:07 AM, "Dieter Klünter" dieter@dkluenter.de wrote:
Am Tue, 11 Feb 2014 23:56:23 -0500 schrieb Michael mlstarling31@hotmail.com:
I'm trying to configure a means to be able to get the lastlogin time for users in my environment. However, since I'm stuck using the RHEL version of OpenLDAP I can't take advantage of the "lastbind overlay"
Here's my config.
overlay accesslog logdb cn=accesslog logops bind logsuccess TRUE # scan the accesslog DB every day, and purge entries older than 90 days logpurge 90+00:00 01+00:00
The accesslog DB is populated and I can query for BIND operations, however the only BIND operations that get recorded are BINDS to the LDAP server itself. BINDS to clients do not get recorded in the accesslog. Is this the advertised behavior of the accesslog?
Yes, slapd has no knowledge of the system environment.
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Well that jut put a damper on my day. Do you have any other suggestions on how to capture all BINDS in a particular environment?
-Mike
Michael wrote:
On Feb 12, 2014, at 3:07 AM, "Dieter Klünter" dieter@dkluenter.de wrote:
Am Tue, 11 Feb 2014 23:56:23 -0500 schrieb Michael mlstarling31@hotmail.com:
I'm trying to configure a means to be able to get the lastlogin time for users in my environment. However, since I'm stuck using the RHEL version of OpenLDAP I can't take advantage of the "lastbind overlay"
Well that jut put a damper on my day. Do you have any other suggestions on how to capture all BINDS in a particular environment?
Ditch the lobotomized build that RedHat provides and compile it yourself. It will work better than the RedHat build anyway, since they've crippled theirs so much.
Date: Wed, 12 Feb 2014 14:20:09 -0800 From: hyc@symas.com To: mlstarling31@hotmail.com; dieter@dkluenter.de CC: openldap-technical@openldap.org Subject: Re: slapo-accesslog
Michael wrote:
On Feb 12, 2014, at 3:07 AM, "Dieter Klünter" dieter@dkluenter.de wrote:
Am Tue, 11 Feb 2014 23:56:23 -0500 schrieb Michael mlstarling31@hotmail.com:
I'm trying to configure a means to be able to get the lastlogin time for users in my environment. However, since I'm stuck using the RHEL version of OpenLDAP I can't take advantage of the "lastbind overlay"
Well that jut put a damper on my day. Do you have any other suggestions on how to capture all BINDS in a particular environment?
Ditch the lobotomized build that RedHat provides and compile it yourself. It will work better than the RedHat build anyway, since they've crippled theirs so much.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
If that was an option I would have done that along time ago. I guess I'll be scraping system logs.
-Mike
2014-02-12 5:56 GMT+01:00 Michael mlstarling31@hotmail.com:
I'm trying to configure a means to be able to get the lastlogin time for users in my environment. However, since I'm stuck using the RHEL version of OpenLDAP I can't take advantage of the "lastbind overlay"
You can have a look to LTB packages. The "contrib" RPM includes the lastbind overlay.
See http://ltb-project.org/wiki/documentation/openldap-rpm
Clément.
openldap-technical@openldap.org
-
Clément OUDOT -
Dieter Klünter -
Howard Chu -
Michael