dockerldapfifoaudit-logging389ds

ldap 389ds - logging - cat <> stdout-fifo-pipe-file > /dev/stdout - No AUDIT logs 0 byte file


I have a ldap (helm chart) running 389ds container under the hood.

I noticed that in the chart, there's this folder: docker-entrypoint-init.d/ which contains bunch of numbered shell scripts. Example: 1-logging.sh, 2-somename.sh, 3-othername.sh, ... so on.

Helm chart successfully installs and runs 389ds LDAP server i.e. pod is RUNNING (green).

  1. ldap bind/etc operations are working without any issues.
  2. I can run ldapmodify command etc successfully.

1-logging.sh file contains, the following lines: (seems like it's creating some pipe and then redirecting the pipe output to /dev/{stdout,stderror}).

# Activate fifo pipes
log_info "Activating stdout pipe"
cat <> /tmp/stdout-fifo > /dev/stdout &

log_info "Activating stderr pipe"
cat <> /tmp/stderr-fifo > /dev/stderr &

Question 1: What exactly is this line cat <> /tmp/stdout-fifo > /dev/stdout doing here?

I'm able to successfully run ldapmodify command to change a user's password (viewing pod's log data within in Rancher UI > Workloads > pods > ldap-0 pod > View Logs shows me the pod's log as it grows, and there are entries related to the ldapmodify operation i.e. reflecting something changed in ldap database for that target user).

For any other operation like access, error, I see the corresponding file has a valid size and contains some log data. LDAP settings for audit and access/error are similar (as per the URL shown below).

I also noticed, the contents of access file do not fully contain/grows exactly like what I see, when I see the logs using View Logs (at the pod level in Rancher).

LDAP settings for creating / specifying output files for access, error and audit are defined here: https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-nsslapd_auditlog_Audit_Log

and in my case, I see:

# cat -n /var/lib/dirsrv/etc/slapd-dir/dse.ldif|grep audit    
    28  nsslapd-auditlog: /tmp/stdout-fifo                      <-- audit log file
    29  nsslapd-auditfaillog: /var/log/dirsrv/slapd-dir/audit   <-- audit-fail log file
    78  nsslapd-auditlog-mode: 640
    79  nsslapd-auditlog-maxlogsperdir: 1
    80  nsslapd-auditlog-logrotationtime: -1
    81  nsslapd-auditlog-logrotationtimeunit: day
    82  nsslapd-auditlog-logmaxdiskspace: 500
    83  nsslapd-auditlog-logminfreediskspace: 200
    84  nsslapd-auditlog-logging-enabled: on                    <-- audit logging turned ON

Looking at the above configuration, I see that ldap is creating 3 files (access, error and audit) under it's log directory, BUT, the audit FAIL-LOG file is EMPTY blank = 0 bytes, possibly because there are NO real errors while running ldapmodify / audit related operations:

# ls -l /var/log/dirsrv/slapd-dir | grep -v rotat
total 192
-rw-r-----. 1 ldapuser ldap 157028 Mar 20 21:32 access
-rw-r-----. 1 ldapuser ldap      0 Mar 20 21:30 audit        <--------- 0 bytes
-rw-r-----. 1 ldapuser ldap  22935 Mar 20 21:32 errors

Question 2: What can I change in the nsslapd-audit configurations above, so that I can have both LDAP audit "successful and failed" events in the same /var/log/dirsrv/slapd-dir/audit file, without impacting/touching the /tmp/stdout-fifo used by nsslapd-auditlog: entry.


Solution

  • Question 2 answer:

    Added:

    nsslapd-auditfaillog: /tmp/stdout-fifo
    nsslapd-auditfaillog-logging-enabled: on
    
    ... more nssldapd-auditfaillog-* settings here...
    

    NOTE: If you don't specify nsslapd-auditfaillog entry at all, then as per the documentation (settings) mentioned in the following URL, failed ldap audit logs/operations (i.e. auditfaillog) will automatically go to the same file (defined by auditlog entry). I did specify all the other settings for nsslapd-auditfaillog-*

    NOTE: In my case, I went with the FIFO file for both audit and failed audit operations. But if you want a regular file (rather than a FIFO), then instead of using /tmp/stdout-fifo file, specify the file value as /var/log/dirsrv/slapd-dir/audit for both auditlog and auditfaillog setting and 389ds will send all audit (successful and failed data) to a single file.

    Later we can FluentD/Fluent-Bit to slurp it, parse it and sent it to some target output (Elastic index etc).

    Refer: https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-nsslapd_auditfaillog_Audit_Fail_Log