OpenLDAP accesslog configuration
First, you should enable accesslog overlay when configure openLDAP before install openLDAP:./configure--enable-accesslog=yes --prefix=/usr/local/openldap
make depend
make
make install
OpenLDAP accesslog configuration:
#
# See slapd.conf(5)for details on configuration options.
# This file shouldNOT be world readable.
#
include /usr/local/openldap/etc/openldap/schema/core.schema
# Define global ACLsto disable default read access.
# Do not enablereferrals until AFTER you have a working directory
# service AND anunderstanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Load dynamicbackend modules:
#modulepath /usr/local/libexec/openldap
#moduleload back_bdb.la
#moduleload back_hdb.la
#moduleload accesslog.la
# Sample securityrestrictions
# Require integrity protection(prevent hijacking)
# Require 112-bit (3DES orbetter) encryption for updates
# Require 63-bit encryption forsimple bind
# security ssf=1update_ssf=112 simple_bind=64
# Sample accesscontrol policy:
# Root DSE: allow anyone to readit
# Subschema (sub)entry DSE: allowanyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implementpolicy:
# access todn.base="" by * read
# access todn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no accesscontrols are present, the default policy
# allows anyone andeveryone to read anything but restricts
#updates to rootdn. (e.g., "access to * by *read")
#
# rootdn can alwaysread and write EVERYTHING!
##############################################
# Log config #
loglevel 297
##############################################
#######################################################################
# BDB databasedefinitions
#######################################################################
######### accesslog database definitions ###############
database bdb
suffix cn=accesslog #(DB schema)
directory /usr/local/var/openldap-data/accesslog
rootdn cn=accesslog
index reqStart eq
#index default eq
#index entryCSN,objectClass,reqEnd,reqResult,reqStart
######### primary DBdefinitions #########
database bdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw pass
directory /usr/local/var/openldap-data
index objectClass eq
######### accesslog overlay definitions for primarydatabase #########
overlay accesslog
logdb cn=accesslog # the same as accesslog database definition's suffix (DB schema)
logops writes reads #only record writes reads operations
logsuccess TRUE #only record success operations
# scan the accesslogDB every day, and purge entries older than 7 days
# first part is how long data stored, second part is when to scan the old data
logpurge 07+00:00 01+00:00
页:
[1]