Re: Trace the change on the directory [auf Viren überprüft]

[Howard Chu <hyc@symas.com>]

Hans Moser wrote:
> Hi!
>
> Timur Izhbulatov schrieb:
> > > Is it possible on openLdap 2.3.18 to trace the change on the 
> > > directory like the new entry or updated entry ? it's not for 
> > > replication , I just want to build a change log file.
> > See man slapo-accesslog
> I tried this and it works.
>
> database        bdb
> subordinate
> suffix          "ou=log,ou=foo,c=de"
> directory       /opt/mail/var/log-data
> index reqStart eq
>
> access to dn.base="ou=log,ou=foo,c=de"
>  by * write
> access to dn.subtree="ou=log,foo,c=de"
>  by * write
>
> overlay accesslog
> logdb "ou=log,ou=foo,c=de"
> logops writes
There are many things wrong here:

1. The overlay is supposed to go on some other database, not the 
database that stores the log records.
2. The slapo-accesslog(5) manpage also tells you specifically not to 
allow general write access to the log database.
3. You should always index objectclass eq.
4. You should always provide a rootdn.
> But I could define another acl then the one above (which is very 
> loose), even "by users write" did not work.
>
> => access_allowed: add access to "ou=log,ou=foo,c=de" "children" 
> requested
> [...]
> => dn: [5] ou=log,ou=foo,c=de
> => acl_get: [5] matched
> => acl_get: [5] attr children
> => acl_mask: access to entry "ou=log,ou=foo,c=de", attr "children" 
> requested
> => acl_mask: to all values by "", (=0)
> <= check a_dn_pat: users
> <= acl_mask: no more <who> clauses, returning =0 (stop)
> => access_allowed: add access denied by =0
> bdb_add: no write access to parent
>
>
> Hans


--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/