4

I have openldap v 2.4 running on centos7 and working but i cannot get it to log anything. I have tried adding the below line to the rsyslog.conf file but i still do not get any log file.

LOCAL4.*        /var/log/openldap/slapd.log

When i added this line i ran the below command to reload the rsyslog conf and also stopped and started openldap.

pkill -HUP rsyslog

I cant find any more instruction on how to enable logging.

a.smith
  • 705
  • 4
  • 13
  • 28

1 Answers1

6

To enable OpenLDAP debugs, you would want to add the following to your slapd.conf

loglevel <level> (eg: stats)

If you do not use slapd.conf, you may then pass that option to the slapd service. In debian/ubuntu, you would find some /etc/default/slapd file, you may update its SLAPD_OPTIONS:

$ grep SLAPD_OPTIONS /etc/default/slapd
SLAPD_OPTIONS="-s 256"

We may then restart slapd:

systemctl restart slapd

Valid slapd log levels would include:

| -1          | Enable all debugging                          |
|  0          | Enable no debugging                           |
|  1          | Trace function calls                          |
|  2          | Debug packet handling                         |
|  4          | Heavy trace debugging                         |
|  8          | Connection management                         |
|  16         | Log packets sent and recieved                 |
|  32         | Search filter processing                      |
|  64         | Configuration file processing                 |
|  128        | Access control list processing                |
|  256        | Stats log connections, operations and results |
|  512        | Stats log entries sent                        |
|  1024       | Log communication with shell backends         |
|  2048       | Log entry parsing debugging                   |

For further details, see http://www.openldap.org/doc/admin24/slapdconfig.html

Besides, as Jeff pointed it out, your syslog configuration looks wrong to begin with.

LOCAL4.*        /var/log/openldap/

Should probably be:

LOCAL4.*        /var/log/openldap/some-file.log

Or:

LOCAL4.*        /var/log/openldap.log
SYN
  • 2,793
  • 12
  • 19
  • Does that send to syslog, or write natively? (Just curious if I'm on the right track with my comments at all) – Jeff Schaller Oct 31 '19 at 13:32
  • Sends to syslog. By default, you won't see much regarding binds, searches, ..., or at all, unless you pass slapd with some option. – SYN Oct 31 '19 at 13:32
  • Good to know; thank you! Would you consider adding a syslog.conf correction away from the OP's `/var/log/openldap/` target? – Jeff Schaller Oct 31 '19 at 13:34
  • Im not using slapd.conf. i was under the impression it had been replaced with the cn=config.ldif file? i tried adding the loglevel to this file but still no logs. I did find a file /etc/sysconfig/slapd and had a SLAPD_OPTIONS line commented out but when i add -d 256 and uncommented it ldap would not start. – a.smith Oct 31 '19 at 14:11
  • 2
    @SYN anything extra you can suggest would be greatly appreciated. – a.smith Nov 01 '19 at 08:45
  • Right, my mistake: the `-d` in sysconfig, in addition to setting log level, also prefents slapd from forking. We should actually use `-s`, to only tune loglevel while still starting a background service. And yes, slapd.conf is slowly going away, which is when you'ld set that loglevel from sysconfigs / defaults. – SYN Nov 01 '19 at 09:36
  • @SYN thanks for coming back. I swapped the -d for a -s in sysconfig/slapd file and slapd now starts but i still am not getting anothing in my nominated log file. I am at a loss what i am missing. – a.smith Nov 06 '19 at 11:38
  • Could you share your rsyslog configuration? – SYN Nov 06 '19 at 11:53
  • The line i have added is LOCAL4.* /var/log/openldap/slapd.log Let me know if you need more of the file. – a.smith Nov 06 '19 at 12:03
  • I'm looking for something that could discard those logs before your addition. In doubt, we could also check for SElinux (in `/var/log/audit/audit.log`, look for denied messages). Does the `/var/log/openldap` directory exists already? Otherwise make sure it does. – SYN Nov 06 '19 at 12:14
  • i couldnt see anything wrong in the files mentioned but it is now logging after i stopped and started rsyslog. Thanks for your help – a.smith Nov 06 '19 at 12:28
  • Oh well, perfect then! Thanks for confirming. – SYN Nov 06 '19 at 12:29