[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-directory-users
Subject: Re: [389-users] Not able to enable audit logs
From: Mark Reynolds <mareynol () redhat ! com>
Date: 2015-06-15 13:22:02
Message-ID: 557ED17A.3040705 () redhat ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 06/15/2015 05:23 AM, Prashant Bapat wrote:
> There is no error. It goes thru fine. When I restart the LDAP server
> after adding it, there is nothing in the audit file. And no entry in
> the dse.ldif.
Are you directly modifying the dse.ldif? If so, you MUST do so while
the server is stopped, otherwise the change is lost. The best way is to
use ldapmodify:
Example:
# ldapmodify -D "cn=directory manager" -W -p PORT -h HOST
dn: cn=config
changetype: modify
replace: nsslapd-auditlog-logging-enabled
nsslapd-auditlog-logging-enabled: on
Enabling the audit log should log the change to enable it, so after
making this update the audit log should not be empty
(/var/log/dirsrv/slapd-INSTANCE/audit).
Mark
>
> On 15 June 2015 at 13:39, German Parente <gparente@redhat.com
> <mailto:gparente@redhat.com>> wrote:
>
> Hi Prashant,
>
> it should work in the same way. Are you having an error doing your
> ldapmodify ?
>
>
> There's not a specific entry for nsslapd-auditlog-logging-enabled.
>
> nsslapd-auditlog-logging-enabled is an attribute of cn=config entry.
>
> You should be able to query it by this command:
>
> ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=config" -s
> base nsslapd-auditlog-logging-enabled
> dn: cn=config
> nsslapd-auditlog-logging-enabled: on
>
> Regards,
>
> German.
>
>
> ----- Original Message -----
> > From: "Prashant Bapat" <prashant@apigee.com
> <mailto:prashant@apigee.com>>
> > To: "389-users" <389-users@lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>>
> > Sent: Monday, June 15, 2015 9:56:48 AM
> > Subject: [389-users] Not able to enable audit logs
> >
> > Hi,
> >
> > I have a setup of master-master replicated 389 DS installations
> as part of
> > FreeIPA.
> >
> > This is the version of the 389-ds :
> 389-ds-base-1.3.3.8-1.fc21.x86_64
> >
> > On 1st server, I was able to enable the audit logs using the
> following LDIF.
> >
> >
> >
> >
> > dn: cn=config
> > changetype: modify
> > replace: nsslapd-auditlog-logging-enabled
> > nsslapd-auditlog-logging-enabled: on
> >
> > However, the same LDIF when I run on the second server (which is the
> > replicated master) the audit logs never get enabled. I'm not
> able to find
> > the nsslapd-auditlog-logging-enabled entry under the dse.ldif .
> I have tried
> > restarting etc but no luck.
> >
> > Is this normal ?
> >
> > Thanks.
> > --Prashant
> >
> > --
> > 389 users mailing list
> > 389-users@lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> <mailto:389-users@lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
[Attachment #5 (text/html)]
<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 06/15/2015 05:23 AM, Prashant Bapat
wrote:<br>
</div>
<blockquote
cite="mid:CAN9aUrhXdhgwJUYaBcrPzZdonVseu_YND=pPgqwy64q4A=RS8g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:trebuchet
ms,sans-serif">There is no error. It goes thru fine. When I
restart the LDAP server after adding it, there is nothing in
the audit file. And no entry in the dse.ldif.</div>
</div>
</blockquote>
Are you directly modifying the dse.ldif? If so, you MUST do so
while the server is stopped, otherwise the change is lost. The best
way is to use ldapmodify:<br>
<br>
Example:<br>
<br>
# ldapmodify -D "cn=directory manager" -W -p PORT -h HOST<br>
dn: cn=config<br>
changetype: modify<br>
replace: nsslapd-auditlog-logging-enabled<br>
nsslapd-auditlog-logging-enabled: on<br>
<br>
<br>
<br>
Enabling the audit log should log the change to enable it, so after
making this update the audit log should not be empty
(/var/log/dirsrv/slapd-INSTANCE/audit).<br>
<br>
Mark<br>
<br>
<br>
<blockquote
cite="mid:CAN9aUrhXdhgwJUYaBcrPzZdonVseu_YND=pPgqwy64q4A=RS8g@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 15 June 2015 at 13:39, German
Parente <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:gparente@redhat.com" \
target="_blank">gparente@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi
Prashant,<br>
<br>
it should work in the same way. Are you having an error
doing your ldapmodify ?<br>
<br>
<br>
There's not a specific entry for
nsslapd-auditlog-logging-enabled.<br>
<br>
nsslapd-auditlog-logging-enabled is an attribute of
cn=config entry.<br>
<br>
You should be able to query it by this command:<br>
<br>
ldapsearch -xLLL -D "cn=directory manager" -W -b "cn=config"
-s base nsslapd-auditlog-logging-enabled<br>
dn: cn=config<br>
nsslapd-auditlog-logging-enabled: on<br>
<br>
Regards,<br>
<br>
German.<br>
<span class=""><br>
<br>
----- Original Message -----<br>
> From: "Prashant Bapat" <<a moz-do-not-send="true"
href="mailto:prashant@apigee.com">prashant@apigee.com</a>><br>
> To: "389-users" <<a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a>><br>
> Sent: Monday, June 15, 2015 9:56:48 AM<br>
> Subject: [389-users] Not able to enable audit logs<br>
><br>
> Hi,<br>
><br>
> I have a setup of master-master replicated 389 DS
installations as part of<br>
> FreeIPA.<br>
><br>
> This is the version of the 389-ds :
389-ds-base-1.3.3.8-1.fc21.x86_64<br>
><br>
> On 1st server, I was able to enable the audit logs
using the following LDIF.<br>
><br>
><br>
><br>
><br>
> dn: cn=config<br>
> changetype: modify<br>
> replace: nsslapd-auditlog-logging-enabled<br>
> nsslapd-auditlog-logging-enabled: on<br>
><br>
> However, the same LDIF when I run on the second
server (which is the<br>
> replicated master) the audit logs never get enabled.
I'm not able to find<br>
</span>> the nsslapd-auditlog-logging-enabled entry under
the dse.ldif . I have tried<br>
<span class="">> restarting etc but no luck.<br>
><br>
> Is this normal ?<br>
><br>
> Thanks.<br>
> --Prashant<br>
><br>
</span>> --<br>
> 389 users mailing list<br>
> <a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
> <a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
rel="noreferrer" \
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br>
--<br>
389 users mailing list<br>
<a moz-do-not-send="true"
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a moz-do-not-send="true"
href="https://admin.fedoraproject.org/mailman/listinfo/389-users"
rel="noreferrer" \
target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">--
389 users mailing list
<a class="moz-txt-link-abbreviated" \
href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a> \
<a class="moz-txt-link-freetext" \
href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a></pre>
</blockquote>
<br>
</body>
</html>
[Attachment #6 (text/plain)]
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic