PingDirectory

Change logging

The PingDirectory server can be configured to maintain an LDAP-accessible changelog with a record of changes that have been processed in the server.

It is based on the specification in draft-good-ldap-changelog, but includes several proprietary enhancements that provide access to additional useful information. This can include:

  • The values of updated attributes as they appeared before and after the change

  • The values of a configured set of key attributes from the entry, even if they weren’t altered by the change

  • The content of an entry that was deleted

  • The values of virtual attributes from the entry

The changelog can be useful for auditing changes that have been processed in the server, as well as for synchronizing changes to other systems. It is disabled by default, but it can be enabled with the following configuration change:

dsconfig set-backend-prop \
     --backend-name changelog \
     --set enabled:true

Additional properties that you might want to use to customize the changelog configuration include the following.

Property Description

changelog-include-attribute

Specifies which attributes are included in changelog entries for add and modify operations. If this is specified, then only those attributes are included, even if the operation added or updated other attributes.

changelog-exclude-attribute

Specifies which attributes should be excluded from changelog entries for add and modify operations. By default, the changelog excludes several attributes that might contain sensitive information that is unlikely to be required externally. However, encoded passwords are not excluded by default because it might be necessary to synchronize them to other systems.

changelog-deleted-entry-include-attribute

Specifies which attributes should be included in changelog entries for delete operations. By default, all user attributes are included, but operational attributes are not.

changelog-deleted-entry-exclude-attribute

Specifies which attributes should be excluded from changelog entries for delete operations.

changelog-include-key-attribute

An optional set of attributes that should be included in changelog entries, even if they were not changed in the course of processing the operation.

changelog-max-before-after-values

Indicates that the changelog entry should include up to the specified number of before and after values for the updated attributes. This is zero by default to indicate that before and after values should not be included, but if it is changed to a nonzero value, then before and after values are included for any changed attributes whose value count is below this limit.

use-reversible-form

Indicates whether to log modifications in reversible form, which contains enough information to allow the change to be reverted. By default, changes are logged using the set of modifications as the client requested them.

include-virtual-attributes

Indicates which types of virtual attributes should be included in changelog entries. This might include zero or more of the following:

  • add-attributes — Indicates that the changelog entry for an add operation should include any virtual attributes that would be generated for the entry at the time it was added.

  • deleted-entry-attributes — Indicates that the changelog entry for a delete operation should include any virtual attributes present in the entry at the time it was deleted.

  • before-and-after-values — Indicates that the changelog entry should include any virtually values for attributes updated in the operation.

  • key-attribute-values — Indicates that the changelog should include virtual values for any key attributes to be included.

apply-access-controls-to-changelog-entry-contents

Indicates whether the server should pare down the contents of each changelog entry based on the requester’s access control rights for the updated entry.

report-excluded-changelog-attributes

Indicates whether to report information about any attributes that were excluded from the changelog entry on the basis of the apply-access-controls-to-changelog-entry-contents property. Allowed values include:

  • none — Do not report on any attributes that were excluded.

  • attribute-counts — Report the number of attributes that were excluded.

  • attribute-names — Report the names of the attributes that were excluded.

soft-delete-entry-included-operation

Indicates whether to include operations that target soft-deleted entries. By default, operations that target soft-deleted entries, but they can be included with one or more of the following values:

  • delete — Indicates that the changelog should include records of soft-deleted entries that are removed from the server.

  • modify — Indicates that the changelog should include records of modify operations that update soft-deleted entries.

By default, the server does not include any access control rules that grant users access to retrieve changelog entries. As such, only users with the bypass-acl or bypass-read-acl can see them. If you want to grant access to other users who are subject to access control evaluation, you must do so using global ACIs.