[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bind DN not logged with GSSAPI binds (ITS#2283)



At 06:07 PM 1/21/2003, quanah@stanford.edu wrote:
>Full_Name: Quanah Gibson-Mount
>Version: 2.1.10
>OS: Solaris 8
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (171.66.182.82)
>
>
>Hello,
>
>In the past (due to a previous request, as I recall), openldap would log the
>BIND dn of a person making a GSSAPI connection at loglevel 256.

The authorization DN (which is not necessarily the bind DN) is
logged both at 256 (STATS) and at 1 (TRACE).  The message is
labeled "AUTHZ" in 2.1.12 but will labeled "BIND" in the next
release (for consistency with other messages).

>It correctly
>logs the authcid and the authzid now, but the resulting BIND dn (in the case of
>group memberships) is not being logged.

authzid is the authorization DN used for ACLs, etc..

>It is important to know to what BIND DN
>these two bits of information were eventually resolved to.

A recent software message shows logging is working.
http://www.openldap.org/lists/openldap-software/200301/msg00546.html