Enabling access control filtering in the LDAP changelog
Use the dsconfig
tool to enable the properties to the changelog backend to set up access control to the LDAP changelog.
About this task
Only admin users with the bypass-acl
privilege can read the changelog.
Steps
-
To allow LDAP clients to undergo access control filtering using standard LDAP searches of the
cn=changelog
backend, enable theapply-access-control-to-changelog-entry-contents
property.Access control filtering is applied regardless of the value of the
apply-access-controls-to-changelog-entry-contents
setting when the changelog backend is servicing requests from a PingDirectory server that has thefilter-changes-by-user
Sync Pipe property set.Example:
$ bin/dsconfig set-backend-prop --backend-name "changelog" \ --set "apply-access-controls-to-changelog-entry-contents:true"
-
To include a count of users that have been removed through access control filtering, set the
report-excluded-changelog-attributes
property.The count appears in the
ds-changelog-num-excluded-user-attributes
attribute for users and in theds-changelog-num-excluded-operational-attributes
attribute for operational attributes.Example:
$ bin/dsconfig set-backend-prop --backend-name "changelog" \ --set "report-excluded-changelog-attributes:attribute-counts"