OpenLDAP accesslog configuration

First, you should enable accesslog overlay when configure openLDAP before install openLDAP:

 

./configure --enable-accesslog=yes --prefix=/usr/local/openldap

make depend

make

make install

 

OpenLDAP accesslog configuration:

 

 

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include          /usr/local/openldap/etc/openldap/schema/core.schema

 

# Define global ACLs to disable default read access.

 

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral        ldap://root.openldap.org

 

pidfile          /usr/local/var/run/slapd.pid

argsfile         /usr/local/var/run/slapd.args

 

# Load dynamic backend modules:

# modulepath     /usr/local/libexec/openldap

# moduleload     back_bdb.la

# moduleload     back_hdb.la

# moduleload     accesslog.la

 

# Sample security restrictions

#        Require integrity protection (prevent hijacking)

#        Require 112-bit (3DES or better) encryption for updates

#        Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

 

# Sample access control policy:

#        Root DSE: allow anyone to read it

#        Subschema (sub)entry DSE: allow anyone to read it

#        Other DSEs:

#                Allow self write access

#                Allow authenticated users read access

#                Allow anonymous users to authenticate

#        Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

#        by self write

#        by users read

#        by anonymous auth

#

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.   (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

 

##############################################

#    Log config #

loglevel 297

##############################################

 

 

#######################################################################

# BDB database definitions

#######################################################################

 

######### accesslog database definitions ###############

database         bdb

suffix           cn=accesslog      # (DB schema)

directory        /usr/local/var/openldap-data/accesslog

rootdn           cn=accesslog

index            reqStart eq

#index           default eq

#index           entryCSN,objectClass,reqEnd,reqResult,reqStart

 

#########   primary DB definitions #########

database         bdb

suffix           "dc=example,dc=com"  

rootdn           "cn=admin,dc=example,dc=com"

rootpw           pass

directory        /usr/local/var/openldap-data

index            objectClass     eq

 

######### accesslog overlay definitions for primary database   #########

overlay          accesslog

logdb             cn=accesslog       # the same as accesslog database definition's suffix (DB schema)

logops           writes reads      #only  record writes reads operations

logsuccess       TRUE               #only record success operations 

# scan the accesslog DB every day, and purge entries older than 7 days

#  first part is how long data stored, second part is when to scan the old data  

logpurge         07+00:00 01+00:00