Enable the production of Openldap Log file

Goal: In this 3rd part of the «OpenLDAP tutorial», we will enable the production of Log. To do that we must change default configuration of the server. The production of OpenLDAP log is very important for supervision and the proper use of this server.

Prerequisite: The OpenLDAP server is installed with its default configuration. The installation has been done on GNU/Linux Debian, Ubuntu OS or compliant system. cf. part 1 and part 2 of this «OpenLDAP tutorial» series.

1. Enable the production of server Logs

sudo ldapsearch -Y external -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel -LLL > slapdlog.ldif

This command creates the slapdlog.ldif file whose content is the result of the LDAP query executed by ldapsearch utility:

dn: cn=config
olcLogLevel: none

The first line contains the DN (distinguished name) who is the unique identifier of the entry. The second line contains the unique attribute requested by the query with value: none. The production of log files is disabled by default.

Modify that file so that its content becomes:

dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats

Now, this LDIF (Lightweight data interchange format) contains a modify command: the second line says we want to change the entry, the third line indicates that it is a replacement of the content of the olcLogLevel attribute and the fourth shows the new value of this attribute. stats level allow generate logs of connections, operations and results. This is perfect for daily monitoring.

To run the command file on the server, we use:

sudo ldapmodify -Y external -H ldapi:/// -f slapdlog.ldif

If we get the message: modifying entry « cn=config », the operation was successful.

To check the result:

sudo ldapsearch -Y external -H ldapi:/// -b cn=config "(objectClass=olcGlobal)" olcLogLevel

This new setting is immediately considered by the server and no reboot is required. The server sends the produced Logs, to the system log management mechanism. This is rsyslog for recent versions of Debian / Ubuntu OS.

2. Consideration of OpenLDAP log in rsyslog

Create a configuration file in the folder /etc/rsyslog.d/choose any name10-slapd.conf for example. The number in the name classifies files in this folder. This file contains those settings:

$template slapdtmpl,"[%$DAY%-%$MONTH%-%$YEAR% %timegenerated:12:19:date-rfc3339%] %app-name% %syslogseverity-text% %msg%\n"
local4.*    /var/log/slapd.log;slapdtmpl

The chosen name slapdtmpl, refers to a presentation format of the contents of the log file.

For details on the template creations for rsyslog consult the manual:

man rsyslog.conf

See, in particular the section TEMPLATES.

Finally you must restart rsyslog for the new settings to take effect.

service rsyslog restart

3. Test this functionality of the OpenLDAP server

Start a query and view the contents of the file /var/log/slapd.log :

sudo ldapsearch -Y external -H ldapi:/// -b dc=ldaptuto,dc=net
sudo cat /var/log/slapd.log

You should have a fairly significant content that show the work done by the OpenLDAP server to produce the query result..

Share

Poster un Commentaire

Soyez le premier à commenter !

avatar
  Subscribe  
Me notifier des