This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How do I turn on logging after manually migrating from ApacheDS to OpenLDAP

Posted on 04-14-2015 12:09 PM
Not applicable
Reply posted on --/--/---- --:-- AM

After upgrading to OPDK v4.15.01 from v4.14.07, I migrated ApacheDS to OpenLDAP.

There were a few hiccups, but in the end, these steps worked smoothly in our PROD landscape.

  1. Ensure ldap commands come from /usr/bin by checking PATH
  2. cd $INSTDIR/share/installer
  3. sudo ./apigee-openldap-migrate.sh
  4. Edit $INSTDIR/conf/apigee/management-server/security.properties to have: ldap.server.admin.dn=cn=manager,dc=apigee,dc=com
  5. Restart management server
  6. sudo chown apigee:apigee $INSTDIR/etc/init.d/apigee-slapd
  7. all-status.sh (all OK)

However, I don't see any logs being generated in $INSTDIR/var/log/openldap, just a start.out.

Are others seeing logs and if so how would I configure OpenLDAP to perform logging? @Paul Mibus, @Terry David

Solved Solved
1 3 1,310
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
paulmibus
Staff
Reply posted on --/--/---- --:-- AM

Apigee uses the OpenLDAP OLC (on-line configuration). Logging for slapd (the OpenLDAP daemon) follows the configuration syntax located at http://www.openldap.org/doc/admin24/slapdconf2.html. The server is not configured to log information by default, but you can add the olcLogLevel attribute to the cn=config DN to enable logging. This process involves two steps:

  1. Enable logging on the slapd server.
  2. Configure rsyslog to direct LOCAL4 messages to a log file.

To enable logging on the slapd server, you can either use a graphical tool such as Apache Directory Studio (http://directory.apache.org/studio) or the OpenLDAP command-line tools. This example shows how to use ldapadd to add the required entry. First, create a text file on the LDAP server named logging.ldif with the following contents: 

dn: cn=config

changetype: modify

add: olcLogLevel

olcLogLevel: <loglevel>

Replace the <loglevel> placeholder with your desired logging level. You can find available logging levels at http://www.openldap.org/doc/admin24/slapdconf2.html in the olcLogLevel section. Be careful if you use a verbose logging level like "trace," as it can quickly consume disk space if you do not implement a log rotation policy using logrotate. Once the LDIF file is created, use the following command to add the attribute to your configuration: 

> ldapadd -H ldap://localhost:10389 -D cn=admin,cn=config -W -f log.ldif

You will be prompted for the administrative password for the cn=config database which was set at installation time. Once logging is enabled on the slapd server, the server will send messages to LOCAL4. You must configure rsyslog to write these messages to a file since they are not sent anywhere by default. Edit the /etc/rsyslogd.conf file and add a line similar to this one: 

local4.*  /opt/apigee4/var/log/openldap/slapd.log

Restart the rsyslog service and verify that you are receiving log messages in your desired output file. If you do not see the file, ensure that the user that your rsyslog daemon runs as has permissions to the target directory. You may have to restart the slapd server or open a connection to it using ldapsearch, Apache Directory Studio or another tool in order to see log output depending on your chosen log level.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
paulmibus
Staff
Reply posted on --/--/---- --:-- AM

Apigee uses the OpenLDAP OLC (on-line configuration). Logging for slapd (the OpenLDAP daemon) follows the configuration syntax located at http://www.openldap.org/doc/admin24/slapdconf2.html. The server is not configured to log information by default, but you can add the olcLogLevel attribute to the cn=config DN to enable logging. This process involves two steps:

  1. Enable logging on the slapd server.
  2. Configure rsyslog to direct LOCAL4 messages to a log file.

To enable logging on the slapd server, you can either use a graphical tool such as Apache Directory Studio (http://directory.apache.org/studio) or the OpenLDAP command-line tools. This example shows how to use ldapadd to add the required entry. First, create a text file on the LDAP server named logging.ldif with the following contents: 

dn: cn=config

changetype: modify

add: olcLogLevel

olcLogLevel: <loglevel>

Replace the <loglevel> placeholder with your desired logging level. You can find available logging levels at http://www.openldap.org/doc/admin24/slapdconf2.html in the olcLogLevel section. Be careful if you use a verbose logging level like "trace," as it can quickly consume disk space if you do not implement a log rotation policy using logrotate. Once the LDIF file is created, use the following command to add the attribute to your configuration: 

> ldapadd -H ldap://localhost:10389 -D cn=admin,cn=config -W -f log.ldif

You will be prompted for the administrative password for the cn=config database which was set at installation time. Once logging is enabled on the slapd server, the server will send messages to LOCAL4. You must configure rsyslog to write these messages to a file since they are not sent anywhere by default. Edit the /etc/rsyslogd.conf file and add a line similar to this one: 

local4.*  /opt/apigee4/var/log/openldap/slapd.log

Restart the rsyslog service and verify that you are receiving log messages in your desired output file. If you do not see the file, ensure that the user that your rsyslog daemon runs as has permissions to the target directory. You may have to restart the slapd server or open a connection to it using ldapsearch, Apache Directory Studio or another tool in order to see log output depending on your chosen log level.

Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
In response to paulmibus
Reply posted on --/--/---- --:-- AM

Thanks for your post!

Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
In response to paulmibus
Reply posted on --/--/---- --:-- AM

Thanks for this information. You have saved me a tremendous amount of reading I didnt want to do over this weekend!

Jump to Solution
0 Likes