[ltb-dev] [LDAP Tool Box - Feature #333] (Closed) pam_unix records event

noreply at lsc-project.org noreply at lsc-project.org
Fri Nov 25 15:07:04 CET 2011


Issue #333 has been updated by Clément OUDOT.

Status changed from Assigned to Closed
% Done changed from 0 to 100

Done in r218
----------------------------------------
Feature #333: pam_unix records event
http://tools.lsc-project.org/issues/333

Author: Nick Milas
Status: Closed
Priority: Normal
Assigned to: Clément OUDOT
Category: OpenLDAP RPM
Target version: openldap-rpm-2.4.27


Hello, 

I am using http://tools.ltb-project.org/attachments/download/226/openldap-ltb-2.4.26-1.el5.x86_64.rpm on two boxes and it's working without problems. 

Yet, I have noticed that /var/log/secure records the following events when daily cron jobs run (4:02AM).

<pre>
Aug 25 04:02:09 vmail su: pam_unix(su-l:session): session opened for user ldap by (uid=0)
Aug 25 04:02:09 vmail su: pam_unix(su-l:session): session closed for user ldap
</pre>

This recording, although probably harmless, should best be avoided.

I assume it is obviously due to slapd restart by the logrotate script: 

<pre>
# cat /etc/logrotate.d/openldap

#=================================================
# Logrotate script for OpenLDAP
#
# Provided by LTB-project (http://www.ltb-project.org)
#=================================================

/var/log/openldap.log {
    daily
    rotate 10
    missingok
    notifempty
    sharedscripts
    postrotate
        # reload syslog
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
        /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
        # only restart if slapd is really running
        if test -n "`ps acx|grep slapd`"; then
                /sbin/service slapd restart
        fi
    endscript
}
</pre>

[Note that this is related to the older issue: http://tools.ltb-project.org/issues/314.]

I would like to mention that this doesn't happen on other ldap 2.4.22 servers running (on other boxes) with the following logrotate script:

<pre>
# cat /etc/logrotate.d/ldap2.4 

/var/log/ldap2.4/ldap.log {
    missingok
    notifempty
    compress
    daily
    rotate 10
    size=10M
    sharedscripts
    postrotate
        # OpenLDAP logs via syslog, restart syslog if running
        /etc/init.d/syslog condrestart
    endscript
}
</pre>

So, I am wondering if you consider it correct from your side for us to try to use the above script (adapted) for ltb-openldap log rotation. You may also want to test it on your test rigs.

Best regards,
Nick


-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-dev/attachments/20111125/a983d829/attachment.htm>


More information about the ltb-dev mailing list