Issue #333 has been updated by Nick Milas.
Hi,
Sorry for the delayed reply.
I had to re-open the issue, because I was getting daily warnings by logwatch:
<pre>
--------------------- pam_unix Begin ------------------------
su-l:
Unknown Entries:
session closed for user ldap: 1 Time(s)
session opened for user ldap by (uid=0): 1 Time(s)
---------------------- pam_unix End -------------------------
</pre>
and I was also getting temporary failures to send mail from mail server which
is using LDAP backend. This was due to slapd restart which caused temporary
user lookup failures (during slapd restart).
I finally tried to comment out the following lines in /etc/logrotate.d/openldap:
<pre>
if test -n "`ps acx|grep slapd`"; then
/sbin/service slapd restart
fi
</pre>
It works fine for 10 days now. OpenLDAP writes without problem to the new log
file after log rotation.
Nick
----------------------------------------
Feature #333: pam_unix records event
http://tools.lsc-project.org/issues/333
Author: Nick Milas
Status: New
Priority: Normal
Assigned to:
Category:
Target version: openldap-rpm-?
Hello,
I am using
http://tools.ltb-project.org/attachments/download/226/openldap-ltb-2.4.26-1.el5.x86_64.rpm
on two boxes and it's working without problems.
Yet, I have noticed that /var/log/secure records the following events when
daily cron jobs run (4:02AM).
<pre>
Aug 25 04:02:09 vmail su: pam_unix(su-l:session): session opened for user ldap
by (uid=0)
Aug 25 04:02:09 vmail su: pam_unix(su-l:session): session closed for user ldap
</pre>
This recording, although probably harmless, should best be avoided.
I assume it is obviously due to slapd restart by the logrotate script:
<pre>
# cat /etc/logrotate.d/openldap
#=================================================
# Logrotate script for OpenLDAP
#
# Provided by LTB-project (http://www.ltb-project.org)
#=================================================
/var/log/openldap.log {
daily
rotate 10
missingok
notifempty
sharedscripts
postrotate
# reload syslog
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null ||
true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null ||
true
# only restart if slapd is really running
if test -n "`ps acx|grep slapd`"; then
/sbin/service slapd restart
fi
endscript
}
</pre>
[Note that this is related to the older issue:
http://tools.ltb-project.org/issues/314.]
I would like to mention that this doesn't happen on other ldap 2.4.22 servers
running (on other boxes) with the following logrotate script:
<pre>
# cat /etc/logrotate.d/ldap2.4
/var/log/ldap2.4/ldap.log {
missingok
notifempty
compress
daily
rotate 10
size=10M
sharedscripts
postrotate
# OpenLDAP logs via syslog, restart syslog if running
/etc/init.d/syslog condrestart
endscript
}
</pre>
So, I am wondering if you consider it correct from your side for us to try to
use the above script (adapted) for ltb-openldap log rotation. You may also want
to test it on your test rigs.
Best regards,
Nick
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://tools.lsc-project.org/my/account
_______________________________________________
ltb-dev mailing list
[email protected]
http://lists.ltb-project.org/listinfo/ltb-dev
