From 0e7b77902a24f7be083e448ffd9aaea7cb3d3666 Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Mon, 16 Nov 2020 11:57:18 +0300
Subject: [PATCH 1/2] ipatests: Raise log level of 389-ds replication

- change log level for replication debugging
  According to the docs:
  ```
  default level of logging(16384) used for critical errors and other
  messages that are always written to the error log. Messages at this
  level are always included in the error log, regardless of the log
  level setting.
  ```

- always flush the access logs to filesystem
  During the testing access logs may be written with delay, this
  results in logs are not collected by this test node, but for example,
  the next one.

- as of now, the changes on `cn=config` are made after the installation
  of server or replica. If an error occurs during these stages, then the
  actual log level will be the default and not as expected.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
---
 ipatests/pytest_ipa/integration/tasks.py | 52 ++++++++++++++++++------
 1 file changed, 39 insertions(+), 13 deletions(-)

diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index cfd8b1512c1..a3623e912b1 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -148,6 +148,29 @@ def apply_common_fixes(host):
     rpcbind_kadmin_workaround(host)
 
 
+def prepare_dse_changes(host):
+    """Put custom changes for dse.ldif on the host
+    """
+    ipatests_dse_path = os.path.join(host.config.test_dir, "ipatests_dse.ldif")
+    ldif = textwrap.dedent(
+        """\
+        # replication debugging
+        dn: cn=config
+        changetype: modify
+        replace: nsslapd-errorlog-level
+        nsslapd-errorlog-level: 8192
+
+        # server writes all access log entries directly to disk
+        dn: cn=config
+        changetype: modify
+        replace: nsslapd-accesslog-logbuffering
+        nsslapd-accesslog-logbuffering: off
+        """
+    )
+    host.put_file_contents(ipatests_dse_path, ldif)
+    return ipatests_dse_path
+
+
 def allow_sync_ptr(host):
     kinit_admin(host)
     host.run_command(["ipa", "dnsconfig-mod", "--allow-sync-ptr=true"],
@@ -249,17 +272,6 @@ def restore_hostname(host):
         host.run_command(['rm', backupname])
 
 
-def enable_replication_debugging(host, log_level=0):
-    logger.info('Set LDAP debug level')
-    logging_ldif = textwrap.dedent("""
-        dn: cn=config
-        changetype: modify
-        replace: nsslapd-errorlog-level
-        nsslapd-errorlog-level: {log_level}
-        """.format(log_level=log_level))
-    ldapmodify_dm(host, logging_ldif)
-
-
 def enable_ds_audit_log(host, enabled='on'):
     """Enable 389-ds audit log and auditfail log
 
@@ -298,6 +310,10 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False,
         domain_level = host.config.domain_level
     check_domain_level(domain_level)
     apply_common_fixes(host)
+    if "--dirsrv-config-file" not in extra_args:
+        ipatests_dse = prepare_dse_changes(host)
+    else:
+        ipatests_dse = None
     fix_apache_semaphores(host)
     fw = Firewall(host)
     fw_services = ["freeipa-ldap", "freeipa-ldaps"]
@@ -310,6 +326,9 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False,
         '-a', host.config.admin_password,
         "--domain-level=%i" % domain_level,
     ]
+    if ipatests_dse:
+        args.extend(["--dirsrv-config-file", ipatests_dse])
+
     if unattended:
         args.append('-U')
 
@@ -335,7 +354,6 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False,
         fw.enable_services(fw_services)
     if result.returncode == 0 and not external_ca:
         # external CA step 1 doesn't have DS and KDC fully configured, yet
-        enable_replication_debugging(host)
         enable_ds_audit_log(host, 'on')
         setup_sssd_debugging(host)
         kinit_admin(host)
@@ -408,6 +426,12 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
         domain_level = domainlevel(master)
     check_domain_level(domain_level)
     apply_common_fixes(replica)
+
+    if "--dirsrv-config-file" not in extra_args:
+        ipatests_dse = prepare_dse_changes(replica)
+    else:
+        ipatests_dse = None
+
     allow_sync_ptr(master)
     fw = Firewall(replica)
     fw_services = ["freeipa-ldap", "freeipa-ldaps"]
@@ -457,12 +481,14 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False,
     fix_apache_semaphores(replica)
     args.extend(['--realm', replica.domain.realm,
                  '--domain', replica.domain.name])
+    if ipatests_dse:
+        args.extend(["--dirsrv-config-file", ipatests_dse])
+
     fw.enable_services(fw_services)
 
     result = replica.run_command(args, raiseonerr=raiseonerr,
                                  stdin_text=stdin_text)
     if result.returncode == 0:
-        enable_replication_debugging(replica)
         enable_ds_audit_log(replica, 'on')
         setup_sssd_debugging(replica)
         kinit_admin(replica)

From d6a4c4acc27aca782650c98bef16fd09c9f17a8e Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Mon, 16 Nov 2020 15:17:54 +0300
Subject: [PATCH 2/2] temp commit: check log settings

Signed-off-by: Stanislav Levin <slev@altlinux.org>
---
 ipatests/test_integration/test_installation.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 1e0b3182a4e..e95e44db751 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -972,6 +972,24 @@ def test_ds_disable_upgrade_hash(self):
         )
         assert "nsslapd-enable-upgrade-hash: off" in result.stdout_text
 
+    def test_ds_loglevel(self):
+        result = tasks.ldapsearch_dm(
+            self.master,
+            "cn=config",
+            ldap_args=["nsslapd-errorlog-level"],
+            scope="base"
+        )
+        assert "nsslapd-errorlog-level: 8192" in result.stdout_text
+
+    def test_ds_flush_logs(self):
+        result = tasks.ldapsearch_dm(
+            self.master,
+            "cn=config",
+            ldap_args=["nsslapd-accesslog-logbuffering"],
+            scope="base"
+        )
+        assert "nsslapd-accesslog-logbuffering: off" in result.stdout_text
+
     def test_ldbm_tuning(self):
         # check db-locks in new cn=bdb subentry (1.4.3+)
         result = tasks.ldapsearch_dm(
