Logs

By default, LemonLDAP::NG uses Apache logs to store user actions and other messages:

• Error log: all messages emitted by the program, depending on the configured log level
• Access log: the issuer of each request is identified

The log level can be set with Apache LogLevel parameter. It can be configured globally, or inside a virtual host.

See http://httpd.apache.org/docs/2.2/mod/core.html#loglevel for more information.

To configure the user identifier in access log, go in Manager, General Parameters > Logging > REMOTE_USER.

LemonLDAP::NG can also use syslog (only for user actions).

In Manager, set syslog facility in General Parameters > Logging > Syslog facility.

The messages are stored with the levels :

• info for user actions
• notice for good authentications or external exchange (SAML, OpenID,…)
• warn for failed authentications

If users access Lemonldap::NG portal through a proxy, one may prefer log real client's IP instead of proxy's IP. Usually, proxies forward client IP in a “X-Forwarded-For” HTTP Header.

On the other hand, X-Forwarded-For header may be forged by user, so this may not be a reliable data.

You can manage Lemonldap::NG's behaviour in General Parameters > Logging > “Trusted proxies IP” :

• to always log remote IP, that is, proxy's IP if users access through a proxy, let “Trusted proxies IP” void
• to always trust X-Forwarded-For header (if it is defined), set “Trusted proxies IP” as “*”
• to trust X-Forwarded-For data only when it is set by some proxies, put trusted proxies' IP in a space-separated list of IP addresses or CIDR ranges. For example, set “Trusted proxies IP” to “10.192.54.219 10.226.40.64/28”.

Note that a proxy cannot add “X-Forwarded-For” headers if portal URL is a https URL.

You can customize logs by redefining userNotice() and userError() methods, directly in lemonldap-ng.ini

Example:

[portal]
userError = sub { my ($self, $message) = @_; ... }
userNotice = sub { my ($self, $message) = @_; ... }