12.12. Configuring OpenLDAP Logging

Problem

OpenLDAP's default setup dumps logging into the syslog, and you would rather it have its own separate logfile. How do you do this?

Solution

First, we'll create a separate directory and an empty logfile:

	# mkdir /var/log/openldap
	# touch /var/log/openldap/ldap.log

Then, add these lines to /etc/syslog.conf:

	#Logging for openldap
	local4.* /var/log/openldap/ldap.log

And set your desired logging level in slapd.conf, in the Global section:

	loglevel             256

Now, restart both OpenLDAP and the syslog daemon:

	# /etc/init.d/slapd restart (Debian)
	# /etc/init.d/ldap restart (Fedora)
	# /etc/init.d/sysklogd restart (Debian)
	# /etc/init.d/syslog restart (Fedora)

Run some searches to generate some activity, then check your logfile. It should be full of entries like this:

	May 22 11:53:32 xena slapd[7686]: conn=5 fd=11 ACCEPT from IP=127.0.0.1:33643 (IP=0.
	0.0.0:389)
	May 22 11:53:32 xena slapd[7686]: conn=5 op=0 BIND dn="" method=128
	May 22 11:53:32 xena slapd[7686]: conn=5 op=0 RESULT tag=97 err=0 text=
	May 22 11:53:32 xena slapd[7686]: conn=5 op=1 SRCH base="dc=alrac,dc=net" scope=2
	deref=0 filter="(objectClass=*)"

Discussion

The available logging levels for OpenLDAP are a bit complicated. man 5 slapd.conf lists all of them. The default is 256, which logs statistics like connections, operations, and results. -1 logs everything, so beware! A busy OpenLDAP server will generate megabytes of logfiles at this level in no time. Some admins disable logging entirely with the 0 option, and turn it on periodically for analysis or troubleshooting. Some high-priority messages are logged regardless of your logging level, so you should still route them to a separate file.

Logging can bog down performance noticeably, so one tweak you can make is to use the minus prefix in syslog.conf:

	local4.* -/var/log/openldap/ldap.log

This tells the syslog daemon to not synchronize the file after every write. The risk is you could lose some data if the system crashes, but it makes a noticeable difference in performance on a heavily loaded server.

Each logging level is not a different verbosity, but a different subsystem. So, you can combine them like this to log different activities:

	256 + 32 + 8

Using a remote logging server takes a lot of the load away from your OpenLDAP server. See Chapter 19 for recipes on setting up a logging server using Syslogng.

See Also

• man 5 slapd.conf

• OpenLDAP.org: http://www.openldap.org/

• LDAP Directories Explained: An Introduction and Analysis, by Brian Arkills (Addison-Wesley)

• LDAP System Administration, by Gerald Carter (O'Reilly)