Here're a few hints when configuring OpenLDAP logs on Linux, if you use
either the syslogd or rsylogd daemons. (I have not tested with syslog-ng yet).
Neither the OpenLDAP admin guides nor the mailing list mention these traps, so
I thought it'd be worth writing an article on that topic...
As you know, OpenLDAP uses the syslog facility to log messages. What's may not
be obvious, is that as a consequence, the OpenLDAP log file must be writable by
the syslog daemon. It even actually doesn't matter if the system account who's
used to run the slapd process can't read its own log file !
Also, usually, the slapd daemon will start as root and then the process
ownership will change to the user you chose, so neither the (r)syslogd nor the
slapd system accounts who're used to run these processes need write access to
the directory where the OpenLDAP log file is located: the slapd daemon starts
as root, create its log file if it doesn't exist, and then the slapd process
ownership changes to the system account you chose. Then, the syslog facility
becomes responsible for the slapd log file updates, so the system account used
to run the syslog daemon must have write access to the slapd log file.
Now some other hints on how to make OpenLDAP log to a dedicated file, and how
to prevent it from logging to other files as well: use the following syslog
configuration example for the LOCAL4 facility:
*.*;auth,authpriv.none,local4.none -/var/log/syslog *.=debug;auth,authpriv.none;local4.none;news.none;mail.none -/var/log/debug daemon.*;mail.*;news.err;*.=debug;*.=info;*.=notice;*.=warn;local4.none |/dev/xconsole local4.* -/var/log/openldap
With the configuration above, OpenLDAP logs will only log to the /var/log/openldap file, with buffering enabled. The lines order doesn't matter.