Tracking Client Requests Through Directory Proxy Server and Directory Server Access Logs
To track the path of a client request, you must understand how requests are logged in the Directory Proxy Server access log and in the Directory Server access log. To understand this section, first read Tracking Client Requests Through Directory Proxy Server and Directory Server Access Logs in Sun Java System Directory Server Enterprise Edition 6.2 Reference.
To Track Operations From Directory Server Through Directory Proxy Server to
the Client Application
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
-
Locate the connection number for the operation that you want to track in the Directory Server access log.
For example, the following line in the access log shows an operation, op=2 with connection number conn=12839.
[20/Jul/2006:18:01:49 -0500] conn=12839 op=2 msgId=4 - SRCH base="dc=example,dc=com" scope=2 filter="(objectClass=organizationalunit)" attrs=ALL
-
Obtain the Directory Proxy Server connection information for that connection.
To obtain this information, search the Directory Server access log to locate all operations with the corresponding connection number. For example, on UNIX systems, run the following grep command to locate all lines in the Directory Server access log that correspond to connection conn=12839:
$ grep conn=12839 access
The line showing the initial LDAP connection is what you are looking for and will be similar to this:
[19/Jul/2006:16:32:51 -0500] conn=12839 op=-1 msgId=-1 - fd=27 slot=27 LDAP connection from 129.153.160.175:57153 to 129.153.160.175
The previous line shows that there is an LDAP connection from 129.153.160.175:57153 to Directory Server. The port number (57153) is the information that is required to link the connection back to the Directory Proxy Server access log. The port number enables you to find the corresponding connection in the Directory Proxy Server log, and to locate the client information from this connection.
If the log files have been rotated since the connection was first established, you need to search the archived log files as well as the current access log file.
-
Locate the corresponding connection in the Directory Proxy Server access log.
To obtain this information, search the Directory Proxy Server access log to locate all operations with the corresponding port number.
You might find multiple entries in the log file with the same port number. To ensure that you locate the correct entry, include the timestamp from the Directory Server log entry in your search.
For example, on UNIX systems, run the following grep command to locate the connection entry that corresponds to the timestamp and port number found in the Directory Server log:
$ grep 19/Jul/2006:16:32 access | grep 57153
Note that the seconds value is excluded from the timestamp to take into account slight differences in server times.
The corresponding line in the Directory Proxy Server log will be similar to this:
[19/Jul/2006:16:32:51 -0500] - SERVER_OP - INFO - Created BIND LDAP connection s_conn=sunds-d1m1-9389:34 client=0.0.0.0:57153 server=idm160.central.sun.com:9389 main
This line shows that Directory Proxy Server created a BIND connection to s_conn=sunds-d1m1-9389:34. Directory Proxy Server identifies itself as the client client=0.0.0.0 on TCP port 57153.
The important information to extract from this line of the log is the server ID and port number (s_conn=sunds-d1m1-9389:34).
-
Locate all operations that correspond to the server ID and port number identified in the previous step.
To obtain this information, search the Directory Proxy Server access log for all operations with the corresponding server ID and port number.
For example, on UNIX systems, run the following grep command to locate the operation that corresponds to the server ID found in the previous step:
$ grep s_conn=sunds-d1m1-9389:34 access
In this case, it is not useful to search for the timestamp because these operations might span several days. However, you must determine that the operations returned by the search are the correct ones. If there are multiple Create connection statements, ensure that you locate the one that corresponds to the original search statement. To do this, match the timestamp to the timestamp found in Step 1.
The following extract of the Directory Proxy Server access log shows all operations returned for s_conn=sunds-d1m1-9389:34.
[19/Jul/2006:16:32:51 -0500] - SERVER_OP - INFO - Created BIND LDAP connection s_conn=sunds-d1m1-9389:34 client=0.0.0.0:57153 server=idm160.central.sun.com:9389 main [20/Jul/2006:18:01:49 -0500] - SERVER_OP - INFO - conn=31 op=0 BIND dn="cn=directory manager" method="SIMPLE" s_msgid=3 s_conn=sunds-d1m1-9389:34 [20/Jul/2006:18:01:49 -0500] - SERVER_OP - INFO - conn=31 op=0 BIND RESPONSE err=0 msg="" s_conn=sunds-d1m1-9389:34 [20/Jul/2006:18:01:49 -0500] - SERVER_OP - INFO - conn=31 op=1 SEARCH base="dc=example,dc=com" scope=2 s_msgid=4 s_conn=sunds-d1m1-9389:34 [20/Jul/2006:18:01:49 -0500] - SERVER_OP - INFO - conn=31 op=1 SEARCH RESPONSE err=0 msg="" nentries=1 s_conn=sunds-d1m1-9389:34
With this information, you can see that the connection ID for this search operation on Directory Proxy Server is 31 (conn=31).
-
Locate the client connection IP address that corresponds to the connection ID found in the previous step.
To obtain this information, search the Directory Proxy Server access log for all operations with the correct connection ID and timestamp. The timestamp to use is the one in the original search statement in Step 1.
For example, on UNIX systems, run the following grep command to locate the client connection IP address:
$ grep "20/Jul/2006:18:01" access | grep conn=31
The line you are interested in is similar to this:
[20/Jul/2006:18:01:49 -0500] - CONNECT - INFO - conn=31 client=129.150.64.156:2031 server=0.0.0.0:11389 protocol=LDAP
-
Determine who owns the IP address found in the previous step.
With this information, you can establish precisely who was responsible for the operation performed on Directory Server.
- © 2010, Oracle Corporation and/or its affiliates