Red Hat 8.1 사용자 설명서
Access Log Content for Additional Access Logging Levels
227
[21/Apr/2009:11:39:52 -0700] conn=12 op=2 ABANDON targetop=NOTFOUND msgid=2
NOTE
The Directory Server operation number starts counting at 0, and, in the majority
of LDAP SDK/client implementations, the message ID number starts counting at
1, which explains why the message ID is frequently equal to the Directory Server
operation number plus 1.
of LDAP SDK/client implementations, the message ID number starts counting at
1, which explains why the message ID is frequently equal to the Directory Server
operation number plus 1.
SASL Multi-Stage Bind Logging
In Directory Server, logging for multi-stage binds is explicit. Each stage in the bind process is logged.
The error codes for these SASL connections are really return codes. In
The error codes for these SASL connections are really return codes. In
, the SASL bind is currently in progress so it has a return code of err=14, meaning
the connection is still open, and there is a corresponding progress statement, SASL bind in
progress
progress
.
[21/Apr/2009:11:39:55 -0700] conn=14 op=0 BIND dn="" method=sasl version=3 mech=DIGEST-MD5
[21/Apr/2009:11:39:55 -0700] conn=14 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind
in progress
[21/Apr/2009:11:39:55 -0700] conn=14 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind
in progress
In logging a SASL bind, the sasl method is followed by the LDAP
and the SASL
mechanism used, as shown below with the GSS-API mechanism.
[21/Apr/2009:12:57:14 -0700] conn=32 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
NOTE
The authenticated DN (the DN used for access control decisions) is now logged in the
BIND result line as opposed to the bind request line, as was previously the case:
BIND result line as opposed to the bind request line, as was previously the case:
[21/Apr/2009:11:39:55 -0700] conn=14 op=1 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=jdoe,dc=example,dc=com"
etime=0 dn="uid=jdoe,dc=example,dc=com"
For SASL binds, the DN value displayed in the bind request line is not used by the
server and, as a consequence, is not relevant. However, given that the authenticated
DN is the DN which, for SASL binds, must be used for audit purposes, it is essential
that this be clearly logged. Having this authenticated DN logged in the bind result line
avoids any confusion as to which DN is which.
server and, as a consequence, is not relevant. However, given that the authenticated
DN is the DN which, for SASL binds, must be used for audit purposes, it is essential
that this be clearly logged. Having this authenticated DN logged in the bind result line
avoids any confusion as to which DN is which.
5.1.3. Access Log Content for Additional Access Logging Levels
This section presents the additional access logging levels available in the Directory Server access log.
In
, access logging
level 4, which logs internal operations, is enabled.
4