Re: Trace the change on the directory [auf Viren überprüft]

[Hans Moser <hans.moser@ofd-sth.niedersachsen.de>]

Hi Howard!

Howard Chu schrieb:

> There are many things wrong here:
>
> 1. The overlay is supposed to go on some other database, not the 
> database that stores the log records.
You mean: "Don't log changes from ou=log in ou=log!"?
I snipped out the main db. This is the db I want to be logged (which 
worked).

database        bdb
suffix          "ou=foo,c=de"
rootdn          "cn=gen.man,ou=foo,c=de"
rootpw          nothing
directory       /opt/mail/var/main-data
# Indices to maintain
[...]
logdb "ou=log,ou=foo,c=de"
logops writes

> 2. The slapo-accesslog(5) manpage also tells you specifically not to 
> allow general write access to the log database.
I did not try 2.3.24 but 2.3.19 and can't find it there. Either in man 
in the web.

> 3. You should always index objectclass eq.
Ok.

> 4. You should always provide a rootdn.
Ok.

[compare - isn't that a contradiction to ?
-> 
http://www.openldap.org/software/man.cgi?query=slapd.conf&apropos=0&sektion=0&manpath=OpenLDAP+2.3-Release&format=html
"It is recommended that  the  rootdn  only  be specified  when  needed 
(such  as  when	initially populating a database).  If the rootdn is 
within a namingContext (suffix)  of the  database, a simple bind 
password may also be provided using the rootpw directive. Note that the 
rootdn is always needed when using syncrepl."]

Now it works without the acls.
Thanks for clarifying that.

Hans