[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trace the change on the directory [auf Viren überprüft]



Hans Moser wrote:
Hi!

Timur Izhbulatov schrieb:
Is it possible on openLdap 2.3.18 to trace the change on the directory like the new entry or updated entry ? it's not for replication , I just want to build a change log file.
See man slapo-accesslog
I tried this and it works.

database        bdb
subordinate
suffix          "ou=log,ou=foo,c=de"
directory       /opt/mail/var/log-data
index reqStart eq

access to dn.base="ou=log,ou=foo,c=de"
 by * write
access to dn.subtree="ou=log,foo,c=de"
 by * write

overlay accesslog
logdb "ou=log,ou=foo,c=de"
logops writes
There are many things wrong here:

1. The overlay is supposed to go on some other database, not the database that stores the log records.
2. The slapo-accesslog(5) manpage also tells you specifically not to allow general write access to the log database.
3. You should always index objectclass eq.
4. You should always provide a rootdn.

But I could define another acl then the one above (which is very loose), even "by users write" did not work.


=> access_allowed: add access to "ou=log,ou=foo,c=de" "children" requested
[...]
=> dn: [5] ou=log,ou=foo,c=de
=> acl_get: [5] matched
=> acl_get: [5] attr children
=> acl_mask: access to entry "ou=log,ou=foo,c=de", attr "children" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: users
<= acl_mask: no more <who> clauses, returning =0 (stop)
=> access_allowed: add access denied by =0
bdb_add: no write access to parent



Hans




--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/