[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: incomplete slapcat

To: openldap-software@OpenLDAP.org
Subject: Re: incomplete slapcat
From: Karsten Künne <kuenne@rentec.com>
Date: Wed, 4 Oct 2006 11:01:17 -0400
Content-disposition: inline
In-reply-to: <45230518.3060308@bnl.gov>
Organization: Renaissance Technologies Corporation
References: <4522B5F4.4090002@bnl.gov> <4AA5240ED975B88B30830BAF@SW-90-717-287-3.stanford.edu> <45230518.3060308@bnl.gov>
User-agent: KMail/1.9.4

On Tuesday 03 October 2006 20:49, Robert Petkus wrote:
...
> I hate making these things long because folks lose interest and stop
> reading but my environment is complex so:
>
> Along with the main database, I am also using monitor and accesslog.
> Recently I began storing ssh public keys in LDAP for use with ssh-lpk.
> This past weekend ~15k accounts were added to LDAP and maybe 700 ssh
> keys (I manage LDAP not account management..).  Replication failed on 2
> nodes.  I noticed on these nodes incoherency because I was using an
> outdated custom schema file (my fault) so I decided to wipe the database
> and reload it from backup.  Not a big deal but I notice that my nightly
> slapcat ldifs (slapcat -n 2 -l ldap.ldif) are polluted with accesslog
> entries that *replace* the original entries.  For example, my account dn
> won't include, say, sshPublicKey, but I'd see a reqMod entry with this
> attribute.
>
> I can see every dn with a ldapsearch but am missing many dns using
> slapcat.  Obversely, when I do slapcat, I get dn attributes from
> accesslog that I can't see with ldapsearch.  It looks like some weird
> cross-pollination of the 2 databases.
>
> Maybe there is something I am missing in my config.  Here is a snippet
> -- the full config is available upon request.
>
> Thanks!

...
> database monitor

> database       bdb
> suffix         cn=changelog
> rootdn         cn=changelog
> rootpw         secret
> directory      /var/lib/accesslog
> index          reqStart         eq
> index          reqAuthzID       eq
> index          reqDN            eq
> index          reqMod           eq
> overlay accesslog
> logdb cn=changelog
> logops writes

> database        bdb
> suffix          "dc=bnl,dc=gov"
> rootdn          "cn=admin,dc=bnl,dc=gov"
> rootpw          {SSHA}secret

> directory       /var/lib/ldap

> sizelimit       unlimited
> cachesize       500000
> idlcachesize    500000

Maybe I'm confused but doesn't the accesslog overlay belong in the main 
database definition? At least that's what I have:

database        hdb
suffix          "cn=log"
.....

database        bdb
suffix          "dc=rentec,dc=com"
....
overlay         accesslog
....
logdb           cn=log
logops          writes
logpurge        30+00:00:00  01+00:00:00
....


Karsten.
-- 
For your penance, say five Hail Marys and one loud BLAH!

Follow-Ups:
- Re: incomplete slapcat
  - From: Robert Petkus <rpetkus@bnl.gov>

References:
- incomplete slapcat
  - From: Robert Petkus <rpetkus@bnl.gov>
- Re: incomplete slapcat
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: incomplete slapcat
  - From: Robert Petkus <rpetkus@bnl.gov>

Prev by Date: Re: incomplete slapcat
Next by Date: Re: incomplete slapcat
Index(es):
- Chronological
- Thread