.B [credentials=<passwd>]
.B [realm=<realm>]
.B [secprops=<properties>]
+.B [logbase=<base DN>]
+.B [logfilter=<filter str>]
+.B [syncdata=default|accesslog|changelog]
.RS
Specify the current database as a replica which is kept up-to-date with the
master content by establishing the current
option. A non default SASL realm can be set with the
.B realm
option.
+
+Rather than replicating whole entries, the consumer can query logs of
+data modifications. This mode of operation is referred to as \fIdelta
+syncrepl\fP. In addition to the above parameters, the
+.B logbase
+and
+.B logfilter
+parameters must be set appropriately for the log that will be used. The
+.B syncdata
+parameter must be set to either "accesslog" if the log conforms to the
+.BR slapo-accesslog (5)
+log format, or "changelog" if the log conforms
+to the obsolete \fIchangelog\fP format. If the
+.B syncdata
+parameter is omitted or set to "default" then the log parameters are
+ignored.
.RE
.TP
.B updatedn <dn>
specifying an eq index on the
.B reqStart
attribute will greatly benefit the performance of the purge operation.
+.TP
+.B logsuccess TRUE | FALSE
+If set to TRUE then log records will only be generated for successful
+requests, i.e., requests that produce a result code of 0 (LDAP_SUCCESS).
+If FALSE, log records are generated for all requests whether they
+succeed or not. The default is FALSE.
.SH EXAMPLES
.LP
SUP top STRUCTURAL
MUST ( reqStart $ reqType $ reqSession )
MAY ( reqDN $ reqAuthzID $ reqControls $ reqRespControls $
- reqEnd $ reqResult $ reqMessage ) )
+ reqEnd $ reqResult $ reqMessage $ reqReferral ) )
.RE
.P
Note that all of the OIDs used in the logging schema currently reside
.B reqMessage
attribute.
+The
+.B reqReferral
+attribute carries any referrals that were returned with the result of the
+request.
+
Operation-specific classes are defined with additional attributes to carry
all of the relevant parameters associated with the operation:
.B Add
class inherits from the
.B auditWriteObject
-class. The Add and Modify classes are essentially the same. The
+class. The Add and Modify classes are very similar. The
.B reqMod
attribute carries all of the attributes of the original entry being added.
(Or in the case of a Modify operation, all of the modifications being
NAME 'auditBind'
DESC 'Bind operation'
SUP auditObject STRUCTURAL
- MUST reqMethod )
+ MUST ( reqVersion $ reqMethod ) )
.RE
.P
The
.B Bind
-class just adds the
+class includes the
+.B reqVersion
+attribute which contains the LDAP protocol version specified in the Bind
+as well as the
.B reqMethod
attribute which contains the Bind Method used in the Bind. This will be
the string
.LP
.RS 4
( 1.3.6.1.4.1.4203.666.11.5.2.8
+ NAME 'auditDelete'
+ DESC 'Delete operation'
+ SUP auditWriteObject STRUCTURAL
+ MAY reqOld )
+.RE
+.P
+The
+.B Delete
+operation needs no further parameters. However, the
+.B reqOld
+attribute may optionally be used to record the contents of the entry prior
+to its deletion. The values are formatted as
+.RS
+.RS
+.PD 0
+.TP
+attribute: value
+.RE
+.PD
+This option is not yet implemented.
+
+.LP
+.RS 4
+( 1.3.6.1.4.1.4203.666.11.5.2.9
NAME 'auditModify'
DESC 'Modify operation'
SUP auditWriteObject STRUCTURAL
- MUST reqMod )
+ MAY reqOld MUST reqMod )
.RE
.P
The
.B Modify
-operation has already been described.
+operation contains a description of modifications in the
+.B reqMod
+attribute, which was already described above in the Add operation. It may
+optionally contain the previous contents of any modified attributes in the
+.B reqOld
+attribute, using the same format as described above for the Delete operation.
+This option is not yet implemented.
.LP
.RS 4
-( 1.3.6.1.4.1.4203.666.11.5.2.9
+( 1.3.6.1.4.1.4203.666.11.5.2.10
NAME 'auditModRDN'
DESC 'ModRDN operation'
SUP auditWriteObject STRUCTURAL
.LP
.RS 4
-( 1.3.6.1.4.1.4203.666.11.5.2.10
+( 1.3.6.1.4.1.4203.666.11.5.2.11
NAME 'auditSearch'
DESC 'Search operation'
SUP auditReadObject STRUCTURAL
- MUST ( reqScope $ reqAttrsOnly )
+ MUST ( reqScope $ reqDerefAliases $ reqAttrsOnly )
MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $
reqTimeLimit ) )
.RE
.B Search
class the
.B reqScope
-attribute contains the scope of the original search request, i.e.
+attribute contains the scope of the original search request, using the
+values specified for the LDAP URL format. I.e.
.BR base ,
-.BR onelevel ,
-.BR subtree ,
+.BR one ,
+.BR sub ,
or
-.BR subordinate .
+.BR subord .
+The
+.B reqDerefAliases
+attribute is one of
+.BR never ,
+.BR finding ,
+.BR searching ,
+or
+.BR always ,
+denoting how aliases will be processed during the search.
The
.B reqAttrsOnly
attribute is a Boolean value showing
.LP
.RS 4
-( 1.3.6.1.4.1.4203.666.11.5.2.11
+( 1.3.6.1.4.1.4203.666.11.5.2.12
NAME 'auditExtended'
DESC 'Extended operation'
SUP auditObject STRUCTURAL
operations (except Adds) are recorded in the log.
When using the session log, it is helpful to set an eq index on the
entryUUID attribute in the underlying database.
+.TP
+.B syncprov-nopresent TRUE | FALSE
+Specify that the Present phase of refreshing should be skipped. This value
+should only be set TRUE for a syncprov instance on top of a log database
+(such as one managed by the accesslog overlay).
+The default is FALSE.
+.TP
+.B syncprov-reloadhint TRUE | FALSE
+Specify that the overlay should honor the reloadHint flag in the Syncrepl
+Control. In OpenLDAP releases 2.3.11 and earlier the Syncrepl consumer did
+not properly set this flag, so the overlay must ignore it. This option
+should be set TRUE when working with newer releases that properly support
+this flag. It must be set TRUE when using the accesslog overlay for
+delta-based Syncrepl support. The default is FALSE.
.SH FILES
.TP
ETCDIR/slapd.conf
default slapd configuration file
.SH SEE ALSO
-.BR slapd.conf (5).
+.BR slapd.conf (5),
+.BR slapo-accesslog (5).
OpenLDAP Administrator's Guide.
projects / openldap / commitdiff