diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 924b00a431..6e68a849b4 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -1464,6 +1464,9 @@ in order to work over all of the glued databases. E.g. .B [credentials=] .B [realm=] .B [secprops=] +.B [logbase=] +.B [logfilter=] +.B [syncdata=default|accesslog|changelog] .RS Specify the current database as a replica which is kept up-to-date with the master content by establishing the current @@ -1568,6 +1571,22 @@ keyword above) for a SASL bind can be set with the option. A non default SASL realm can be set with the .B realm option. + +Rather than replicating whole entries, the consumer can query logs of +data modifications. This mode of operation is referred to as \fIdelta +syncrepl\fP. In addition to the above parameters, the +.B logbase +and +.B logfilter +parameters must be set appropriately for the log that will be used. The +.B syncdata +parameter must be set to either "accesslog" if the log conforms to the +.BR slapo-accesslog (5) +log format, or "changelog" if the log conforms +to the obsolete \fIchangelog\fP format. If the +.B syncdata +parameter is omitted or set to "default" then the log parameters are +ignored. .RE .TP .B updatedn diff --git a/doc/man/man5/slapo-accesslog.5 b/doc/man/man5/slapo-accesslog.5 index d49dbea6ce..b38583abba 100644 --- a/doc/man/man5/slapo-accesslog.5 +++ b/doc/man/man5/slapo-accesslog.5 @@ -74,6 +74,12 @@ log database that supports ordered indexing on generalizedTime attributes, specifying an eq index on the .B reqStart attribute will greatly benefit the performance of the purge operation. +.TP +.B logsuccess TRUE | FALSE +If set to TRUE then log records will only be generated for successful +requests, i.e., requests that produce a result code of 0 (LDAP_SUCCESS). +If FALSE, log records are generated for all requests whether they +succeed or not. The default is FALSE. .SH EXAMPLES .LP @@ -116,7 +122,7 @@ class is as follows: SUP top STRUCTURAL MUST ( reqStart $ reqType $ reqSession ) MAY ( reqDN $ reqAuthzID $ reqControls $ reqRespControls $ - reqEnd $ reqResult $ reqMessage ) ) + reqEnd $ reqResult $ reqMessage $ reqReferral ) ) .RE .P Note that all of the OIDs used in the logging schema currently reside @@ -179,6 +185,11 @@ accompanied by a text error message which will be recorded in the .B reqMessage attribute. +The +.B reqReferral +attribute carries any referrals that were returned with the result of the +request. + Operation-specific classes are defined with additional attributes to carry all of the relevant parameters associated with the operation: @@ -210,7 +221,7 @@ The .B Add class inherits from the .B auditWriteObject -class. The Add and Modify classes are essentially the same. The +class. The Add and Modify classes are very similar. The .B reqMod attribute carries all of the attributes of the original entry being added. (Or in the case of a Modify operation, all of the modifications being @@ -234,12 +245,15 @@ have the '+' designator. NAME 'auditBind' DESC 'Bind operation' SUP auditObject STRUCTURAL - MUST reqMethod ) + MUST ( reqVersion $ reqMethod ) ) .RE .P The .B Bind -class just adds the +class includes the +.B reqVersion +attribute which contains the LDAP protocol version specified in the Bind +as well as the .B reqMethod attribute which contains the Bind Method used in the Bind. This will be the string @@ -268,19 +282,49 @@ attribute carries the Attribute Value Assertion used in the compare request. .LP .RS 4 ( 1.3.6.1.4.1.4203.666.11.5.2.8 - NAME 'auditModify' - DESC 'Modify operation' + NAME 'auditDelete' + DESC 'Delete operation' SUP auditWriteObject STRUCTURAL - MUST reqMod ) + MAY reqOld ) .RE .P The -.B Modify -operation has already been described. +.B Delete +operation needs no further parameters. However, the +.B reqOld +attribute may optionally be used to record the contents of the entry prior +to its deletion. The values are formatted as +.RS +.RS +.PD 0 +.TP +attribute: value +.RE +.PD +This option is not yet implemented. .LP .RS 4 ( 1.3.6.1.4.1.4203.666.11.5.2.9 + NAME 'auditModify' + DESC 'Modify operation' + SUP auditWriteObject STRUCTURAL + MAY reqOld MUST reqMod ) +.RE +.P +The +.B Modify +operation contains a description of modifications in the +.B reqMod +attribute, which was already described above in the Add operation. It may +optionally contain the previous contents of any modified attributes in the +.B reqOld +attribute, using the same format as described above for the Delete operation. +This option is not yet implemented. + +.LP +.RS 4 +( 1.3.6.1.4.1.4203.666.11.5.2.10 NAME 'auditModRDN' DESC 'ModRDN operation' SUP auditWriteObject STRUCTURAL @@ -307,11 +351,11 @@ the new parent. .LP .RS 4 -( 1.3.6.1.4.1.4203.666.11.5.2.10 +( 1.3.6.1.4.1.4203.666.11.5.2.11 NAME 'auditSearch' DESC 'Search operation' SUP auditReadObject STRUCTURAL - MUST ( reqScope $ reqAttrsOnly ) + MUST ( reqScope $ reqDerefAliases $ reqAttrsOnly ) MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $ reqTimeLimit ) ) .RE @@ -320,12 +364,22 @@ For the .B Search class the .B reqScope -attribute contains the scope of the original search request, i.e. +attribute contains the scope of the original search request, using the +values specified for the LDAP URL format. I.e. .BR base , -.BR onelevel , -.BR subtree , +.BR one , +.BR sub , or -.BR subordinate . +.BR subord . +The +.B reqDerefAliases +attribute is one of +.BR never , +.BR finding , +.BR searching , +or +.BR always , +denoting how aliases will be processed during the search. The .B reqAttrsOnly attribute is a Boolean value showing @@ -352,7 +406,7 @@ attributes indicate what limits were requested on the search operation. .LP .RS 4 -( 1.3.6.1.4.1.4203.666.11.5.2.11 +( 1.3.6.1.4.1.4203.666.11.5.2.12 NAME 'auditExtended' DESC 'Extended operation' SUP auditObject STRUCTURAL diff --git a/doc/man/man5/slapo-syncprov.5 b/doc/man/man5/slapo-syncprov.5 index 02cf233740..884ceeff53 100644 --- a/doc/man/man5/slapo-syncprov.5 +++ b/doc/man/man5/slapo-syncprov.5 @@ -52,10 +52,25 @@ specifies the number of operations that are recorded in the log. All write operations (except Adds) are recorded in the log. When using the session log, it is helpful to set an eq index on the entryUUID attribute in the underlying database. +.TP +.B syncprov-nopresent TRUE | FALSE +Specify that the Present phase of refreshing should be skipped. This value +should only be set TRUE for a syncprov instance on top of a log database +(such as one managed by the accesslog overlay). +The default is FALSE. +.TP +.B syncprov-reloadhint TRUE | FALSE +Specify that the overlay should honor the reloadHint flag in the Syncrepl +Control. In OpenLDAP releases 2.3.11 and earlier the Syncrepl consumer did +not properly set this flag, so the overlay must ignore it. This option +should be set TRUE when working with newer releases that properly support +this flag. It must be set TRUE when using the accesslog overlay for +delta-based Syncrepl support. The default is FALSE. .SH FILES .TP ETCDIR/slapd.conf default slapd configuration file .SH SEE ALSO -.BR slapd.conf (5). +.BR slapd.conf (5), +.BR slapo-accesslog (5). OpenLDAP Administrator's Guide.