PingDirectory

Enabling access control filtering in the LDAP changelog

Use the dsconfig tool to enable the properties to the changelog backend to set up access control to the LDAP changelog.

About this task

Only admin users with the bypass-acl privilege can read the changelog.

Steps

  1. To allow LDAP clients to undergo access control filtering using standard LDAP searches of the cn=changelog backend, enable the apply-access-control-to-changelog-entry-contents property.

    Access control filtering is applied regardless of the value of the apply-access-controls-to-changelog-entry-contents setting when the changelog backend is servicing requests from a PingDirectory server that has the filter-changes-by-user Sync Pipe property set.

    Example:

    $ bin/dsconfig set-backend-prop --backend-name "changelog" \
      --set "apply-access-controls-to-changelog-entry-contents:true"
  2. To include a count of users that have been removed through access control filtering, set the report-excluded-changelog-attributes property.

    The count appears in the ds-changelog-num-excluded-user-attributes attribute for users and in the ds-changelog-num-excluded-operational-attributes attribute for operational attributes.

    Example:

     $ bin/dsconfig set-backend-prop --backend-name "changelog" \
      --set "report-excluded-changelog-attributes:attribute-counts"