When setting up OpenLDAP logging on CentOS 6, many administrators encounter situations where the log file is created but remains empty despite active LDAP operations. Here's the proper way to configure logging with detailed examples:
# First create dedicated log directory with proper permissions
mkdir -p /var/log/slapd
chown ldap:ldap /var/log/slapd
chmod 750 /var/log/slapd
The modern way to configure OpenLDAP logging is through dynamic runtime configuration. Here's the complete proper method:
# Create LDIF file for configuration
cat > ldap_logging.ldif <<EOF
dn: cn=config
changetype: modify
replace: olcLogFile
olcLogFile: /var/log/slapd/slapd.log
-
replace: olcLogLevel
olcLogLevel: stats
olcLogLevel: config
olcLogLevel: conns
olcLogLevel: filter
olcLogLevel: acl
olcLogLevel: stats
olcLogLevel: shell
EOF
# Apply the configuration
ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap_logging.ldif
After applying changes, verify the settings took effect:
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcLogFile=*)'
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcLogLevel=*)'
Several factors can prevent logging from working:
# Check SELinux context (even if temporarily disabled)
ls -Z /var/log/slapd/
# Alternative quick fix if SELinux was enabled:
semanage fcontext -a -t slapd_log_t "/var/log/slapd(/.*)?"
restorecon -Rv /var/log/slapd
# Verify ldap user has write permissions
sudo -u ldap touch /var/log/slapd/test.log
When basic logging fails, try these advanced methods:
# Run slapd in debug mode temporarily
killall slapd
/usr/sbin/slapd -h "ldap:/// ldapi:///" -u ldap -g ldap -d 256
# Alternative log destination
olcLogFile: syslog
For production systems, implement proper log rotation:
cat > /etc/logrotate.d/slapd <<EOF
/var/log/slapd/slapd.log {
weekly
missingok
rotate 12
compress
delaycompress
notifempty
create 640 ldap ldap
sharedscripts
postrotate
/etc/init.d/slapd restart >/dev/null
endscript
}
EOF
Sometimes the issue lies with the slapd process itself:
# Verify slapd is running as correct user
ps aux | grep slapd
# Check process file descriptor limits
cat /proc/$(pgrep slapd)/limits | grep "Max open files"
Remember that after making configuration changes, you need to restart the slapd service for changes to take effect:
service slapd restart
# Or for CentOS 6:
/etc/init.d/slapd restart
When configuring OpenLDAP on CentOS 6, many administrators encounter situations where log files remain empty despite proper configuration. The core issue typically stems from multiple configuration layers interacting in unexpected ways.
First, let's verify the current OpenLDAP configuration using this command:
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcLogLevel=*)' olcLogLevelThe initial approach shown in the question is correct, but we need to ensure all components are properly set:
# Create a more robust logging configuration
cat <Beyond basic permissions, we need to consider these aspects:
# Set proper SELinux context if SELinux is enabled
semanage fcontext -a -t slapd_log_t "/var/log/slapd(/.*)?"
restorecon -Rv /var/log/slapd
# Verify openldap can actually write to the directory
sudo -u ldap touch /var/log/slapd/test.logWhen direct file logging doesn't work, consider syslog integration:
# Configure syslog for slapd
cat >> /etc/rsyslog.conf << 'EOF'
local4.* /var/log/slapd/slapd.log
EOF
# Then in slapd configuration:
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: any
EOF- Verify ldap service restarted successfully
- Check system logs (/var/log/messages) for slapd errors
- Test with higher log levels (olcLogLevel: 65535)
- Ensure no disk space or inode issues
- Confirm ldap user has proper permissions
For persistent issues, run slapd in debug mode:
service slapd stop
slapd -d 16383 -h "ldap:/// ldapi:///"This will output debug information directly to the console, helping identify where the logging pipeline breaks down.