On Tue, Jun 25, 2019 at 07:33:59PM +0200, Michael Ströder wrote: > On 6/25/19 7:08 PM, Quanah Gibson-Mount wrote: >> Another way to do this would be to set up an accesslog database backend >> and the slapo-accesslog overlay on your primary DB, and log all >> operations (not just success). This would also allow you to inspect >> what values the client is providing. > > AFAIK this only helps if the modify request reaches the backend.
Sure, but most reasons it doesn't reach the overlay should be logger already. > If the slapd frontend already rejects a request (e.g. invalid DN or > schema violation) there is no auditModify entry to look at. For an otherwise LDAP conformant modify PDU with no controls attached, only an invalid DN/invalid attribute name would make that happen and I'd hope both generate useful messages in the response (preferably) or at least in the relevant logs. Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
