Key changelog features

As of 3.2, the PingDirectory server supports two new changelog backend properties that allow access control filtering and sensitive attribute evaluation for targeted entries.

External client applications can change the contents of attributes seen in the targeted entry based on the access control rules applied to the associated base DN.

Attribute Description

Attribute	Description
`apply-access-controls-to-changelog-entry-contents`	Indicates whether the contents of changelog entry attributes, such as `changes`, `deletedEntryAttrs`, `ds-changelog-entry-key-attr-values`, `ds-changelog-before-values`, and `ds-changelog-after-values`, are subject to access control and sensitive attribute evaluation to limit data that LDAP clients can see. The client must have the access control permissions to read changelog entries to retrieve them in any form. If this feature is enabled and the client does not have permission to read an entry at all, or if that client does not have permission to see any attributes that were targeted by the change, then the associated changelog entries targeted by those operations are suppressed. If a client does not have permission to see certain attributes within the target entry, then references to those attributes in the changelog entry are also suppressed. This property only applies to standard LDAP searches of the `cn=changelog` branch.
`report-excluded-changelog-attributes`	Indicates whether to include additional information about any attributes that might have been removed because of access control filtering. This property only applies to content removed as a result of processing performed by the `apply-access-controls-to-changelog-entry-contents` property. Possible values are: none Indicates that changelog entries should not include any information about attributes that have been removed. `attribute-counts` Indicates that changelog entries should include a count of user and operational attributes that have been removed. If any user attribute information was excluded from a changelog entry, the number of the excluded user attributes are reported in the `ds-changelog-num-excluded-user-attributes` attribute of the changelog entry. If any operational attribute information was excluded from a changelog entry, then the number of the excluded operational attributes are reported in the `ds-changelog-num-excluded-operational-attributes` attribute of the changelog entry. Both the `ds-changelog-num-excluded-user-attributes` and `ds-changelog-num-excluded-operational-attributes` are operational and must be explicitly requested by clients or all operational attributes requested using `+` to be returned. `attribute-names` Indicates that changelog entries should include the names of user and operational attributes that have been removed. If any user attribute information was excluded from a changelog entry, then the names of the excluded user attributes are reported in the `ds-changelog-excluded-user-attributes` attribute of the changelog entry. If any operational attribute information was excluded from a changelog entry, then the names of the excluded operational attributes are reported in the `ds-change-log-excluded-operational-attribute` attribute of the changelog entry. Both the `ds-changelog-excluded-user-attribute` and `ds-changelog-excluded-operational-attribute` attributes are operational and must be explicitly requested by clients or all operational attributes requested using `+` to be returned.

apply-access-controls-to-changelog-entry-contents

Indicates whether the contents of changelog entry attributes, such as changes, deletedEntryAttrs, ds-changelog-entry-key-attr-values, ds-changelog-before-values, and ds-changelog-after-values, are subject to access control and sensitive attribute evaluation to limit data that LDAP clients can see. The client must have the access control permissions to read changelog entries to retrieve them in any form. If this feature is enabled and the client does not have permission to read an entry at all, or if that client does not have permission to see any attributes that were targeted by the change, then the associated changelog entries targeted by those operations are suppressed. If a client does not have permission to see certain attributes within the target entry, then references to those attributes in the changelog entry are also suppressed. This property only applies to standard LDAP searches of the cn=changelog branch.

report-excluded-changelog-attributes

Indicates whether to include additional information about any attributes that might have been removed because of access control filtering. This property only applies to content removed as a result of processing performed by the apply-access-controls-to-changelog-entry-contents property. Possible values are:

none: Indicates that changelog entries should not include any information about attributes that have been removed.
attribute-counts: Indicates that changelog entries should include a count of user and operational attributes that have been removed. If any user attribute information was excluded from a changelog entry, the number of the excluded user attributes are reported in the ds-changelog-num-excluded-user-attributes attribute of the changelog entry. If any operational attribute information was excluded from a changelog entry, then the number of the excluded operational attributes are reported in the ds-changelog-num-excluded-operational-attributes attribute of the changelog entry. Both the ds-changelog-num-excluded-user-attributes and ds-changelog-num-excluded-operational-attributes are operational and must be explicitly requested by clients or all operational attributes requested using + to be returned.
attribute-names: Indicates that changelog entries should include the names of user and operational attributes that have been removed. If any user attribute information was excluded from a changelog entry, then the names of the excluded user attributes are reported in the ds-changelog-excluded-user-attributes attribute of the changelog entry. If any operational attribute information was excluded from a changelog entry, then the names of the excluded operational attributes are reported in the ds-change-log-excluded-operational-attribute attribute of the changelog entry. Both the ds-changelog-excluded-user-attribute and ds-changelog-excluded-operational-attribute attributes are operational and must be explicitly requested by clients or all operational attributes requested using + to be returned.

Enabling access control filtering in the LDAP changelog

Use the dsconfig tool to enable the properties to the changelog backend to set up access control to the LDAP changelog.

About this task

Only admin users with the bypass-acl privilege can read the changelog.

Steps

To allow LDAP clients to undergo access control filtering using standard LDAP searches of the cn=changelog backend, enable the apply-access-control-to-changelog-entry-contents property.

Access control filtering is applied regardless of the value of the apply-access-controls-to-changelog-entry-contents setting when the changelog backend is servicing requests from a PingDirectory server that has the filter-changes-by-user Sync Pipe property set.

Example:
```
$ bin/dsconfig set-backend-prop --backend-name "changelog" \
  --set "apply-access-controls-to-changelog-entry-contents:true"
```
To include a count of users that have been removed through access control filtering, set the report-excluded-changelog-attributes property.

The count appears in the ds-changelog-num-excluded-user-attributes attribute for users and in the ds-changelog-num-excluded-operational-attributes attribute for operational attributes.

Example:
```
 $ bin/dsconfig set-backend-prop --backend-name "changelog" \
  --set "report-excluded-changelog-attributes:attribute-counts"
```

PingDirectory

Key changelog features

Enabling access control filtering in the LDAP changelog

About this task

Steps

Example:

Example: