.TH SLAPO-ACCESSLOG 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2005-2006 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2005-2007 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
-slapo-accesslog \- Access Logging overlay
+slapo-accesslog \- Access Logging overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
.TP
.B logdb <suffix>
Specify the suffix of a database to be used for storing the log records.
-The specified database must have already been configured in a prior section
-of the config file. The suffix entry of the log database will be created
-automatically by this overlay. The log entries will be generated as the
-immediate children of the suffix entry.
+The specified database must be defined elsewhere in the configuration.
+The access controls
+on the log database should prevent general access. The suffix entry
+of the log database will be created automatically by this overlay. The log
+entries will be generated as the immediate children of the suffix entry.
.TP
.B logops <operations>
Specify which types of operations to log. The valid operation types are
the entry matches the filter, the old contents of the entry will be
logged along with the current request.
.TP
+.B logoldattr <attr> ...
+Specify a list of attributes whose old contents are always logged in
+Modify and ModRDN requests. Usually only the contents of attributes that were
+actually modified will be logged; by default no old attributes are logged
+for ModRDN requests.
+.TP
.B logpurge <age> <interval>
Specify the maximum age for log entries to be retained in the database,
and how often to scan the database for old entries. Both the
.SH EXAMPLES
.LP
.nf
- database bdb
- suffix cn=log
- \...
- index reqStart eq
-
database bdb
suffix dc=example,dc=com
\...
logdb cn=log
logops writes reads
logold (objectclass=person)
+
+ database bdb
+ suffix cn=log
+ \...
+ index reqStart eq
+ access to *
+ by dn.base="cn=admin,dc=example,dc=com" read
.fi
.SH SCHEMA
This schema is specifically designed for
.B accesslog
auditing and is not intended to be used otherwise. It is also
-noted that the schema describe here is
+noted that the schema described here is
.I a work in
.IR progress ,
and hence subject to change without notice.
.PD
The
.B reqOld
-attribute is only populated if the entry being deleted matches the filter
-in the
-.B logoldfilter
-configuration.
+attribute is only populated if the entry being deleted matches the
+configured
+.B logold
+filter.
.LP
.RS 4
attribute, using the same format as described above for the Delete operation.
The
.B reqOld
-attribute is only populated if the entry being modified matches the filter
-in the
-.B logoldfilter
-configuration.
+attribute is only populated if the entry being modified matches the
+configured
+.B logold
+filter.
.LP
.RS 4
DESC 'ModRDN operation'
SUP auditWriteObject STRUCTURAL
MUST ( reqNewRDN $ reqDeleteOldRDN )
- MAY reqNewSuperior )
+ MAY ( reqNewSuperior $ reqOld ) )
.RE
.P
The
.B reqNewSuperior
attribute carries the DN of the new parent entry if the request specified
the new parent.
+The
+.B reqOld
+attribute is only populated if the entry being modified matches the
+configured
+.B logold
+filter and contains attributes in the
+.B logoldattr
+list.
.LP
.RS 4