Some common mistakes about OpenLDAP logs
Here're a few hints when configuring OpenLDAP logs on Linux, if you use
either the syslogd or rsylogd daemons. (I have not tested with syslog-ng yet).
Neither the OpenLDAP admin guides nor the mailing list mention these traps, so
I thought it'd be worth writing an article on that topic...
As you know, OpenLDAP uses the syslog facility to log messages. What's may not be obvious, is that as a consequence, the OpenLDAP log file must be writable by the syslog daemon. It even actually doesn't matter if the system account who's used to run the slapd process can't read its own log file !
Also, usually, the slapd daemon will start as root and then the process ownership will change to the user you chose, so neither the (r)syslogd nor the slapd system accounts who're used to run these processes need write access to the directory where the OpenLDAP log file is located: the slapd daemon starts as root, create its log file if it doesn't exist, and then the slapd process ownership changes to the system account you chose. Then, the syslog facility becomes responsible for the slapd log file updates, so the system account used to run the syslog daemon must have write access to the slapd log file.
Now some other hints on how to make OpenLDAP log to a dedicated file, and how to prevent it from logging to other files as well: use the following syslog configuration example for the LOCAL4 facility:
*.*;auth,authpriv.none,local4.none -/var/log/syslog *.=debug;auth,authpriv.none;local4.none;news.none;mail.none -/var/log/debug daemon.*;mail.*;news.err;*.=debug;*.=info;*.=notice;*.=warn;local4.none |/dev/xconsole local4.* -/var/log/openldap
With the configuration above, OpenLDAP logs will only log to the /var/log/openldap file, with buffering enabled. The lines order doesn't matter.