PingDirectory

Monitor soft deletes

The server provides monitoring entries and logs to track all soft delete operations. The access and debug logs do not have any options specific for soft deletes.

New monitor entries

Two new monitor entries are present for a backend monitor entry.

Administrators see the following additional monitor entries on cn=userRoot Backend,cn=monitor:

ds-soft-delete-entry-operations-count

Displays the number of soft deletes performed on the backend since server startup.

ds-undelete-operations-count

Displays the number of undeletes performed on the backend since server startup.

ds-backend-soft-deleted-entry-count

Displays the current number of soft-deleted entries in the database.

ds-auto-purged-soft-deleted-entry-count

Displays the current number of soft-deleted entries purged since the backend or server was restarted.

Monitoring soft deletes

Monitor soft deletes using the ldapsearch command.

Steps

  • Run ldapsearch on the cn=userRoot Backend,cn=monitor branch using a search criteria targeting the ds-backend-monitor-entry object class.

    Example:
    $ bin/ldapsearch --baseDN "cn=userRoot Backend,cn=monitor" \
  --searchScope sub "(objectclass=ds-backend-monitor-entry)"
    Result:
    dn: cn=userRoot Backend,cn=monitor
objectClass: top
objectClass: ds-monitor-entry
objectClass: ds-backend-monitor-entry
objectClass: extensibleObject
cn: userRoot Backend
ds-backend-id: userRoot
ds-backend-base-dn: dc=example,dc=com
ds-backend-is-private: FALSE
ds-backend-entry-count: 200001
ds-backend-soft-deleted-entry-count: 1000
ds-soft-delete-operations-count: 40
ds-undelete-operations-count: 20
ds-auto-purged-soft-deleted-entry-count: 0
ds-base-dn-entry-count: 200001 dc=example,dc=com
ds-backend-writability-mode: enabled

Access logs

The access log records the LDAP operations corresponding to soft delete and undelete for DELETE, SEARCH, MODIFY, and ADD operations with the related soft-deleted values.

The access log does not require any configuration for soft delete.

DELETE (soft-delete) operations

The access log displays the following.

[14/May/2012:09:40:16.942 -0500] DELETE RESULT conn=18 op=1 msgID=2
dn="uid=user.1,ou=People,dc=example,dc=com" resultCode=0 etime=30.367
softDeleteEntryDN="entryUUID=4e9b7847-edcb-3791-b11b-7505f4a55af4+uid=user.1,
ou=People,dc=example,dc=com"
SEARCH operations for soft-deleted entries

The access log displays the following.

[14/May/2012:09:40:52.320 -0500] SEARCH RESULT conn=19 op=1 msgID=2
base="dc=example,dc=com" scope=2 filter="(objectclass=ds-soft-delete-entry)"
attrs="ALL" resultCode=0 etime=1.631 entriesReturned=1
MODIFY operations of soft-deleted entries

The access log displays the following.

[14/May/2012:09:42:43.679 -0500] MODIFY RESULT conn=20 op=1 msgID=1
dn="entryUUID=4e9b7847-edcb-3791-b11b-7505f4a55af4+uid=user.1,ou=People,dc=exam-
ple,dc=com" resultCode=0 etime=2.639 changeToSoftDeletedEntry=true
ADD (soft-undelete) operations

The access log displays the following.

[14/May/2012:09:58:16.728 -0500] ADD RESULT conn=25 op=1 msgID=1
dn="uid=user.0,ou=People,dc=example,dc=com" resultCode=0 etime=22.700
undeleteFromDN="entryUUID=ad55a34a-763f-358f-93f9-da86f9ecd9e4+uid=user.0,
ou=People,dc=example,dc=com"

Audit logs

The audit log captures any MODIFY and DELETE operations of soft-deleted entries.

These changes are recorded as fully commented-out audit log entries. The audit log does not require any configuration for soft deletes.

For any soft-deleted entry, the audit log entry displays the ds-soft-delete-entry-dn property and its soft-deleted entry distinguished name (DN).

# 14/May/2012:10:57:09.054 -0500; conn=30; op=1
# ds-soft-delete-entry-dn: entryUUID=68147342-1f61-3465-8489-
3de58c532130+uid=user.2,ou=People,dc=example,dc=com
dn: uid=user.2,ou=People,dc=example,dc=com
changetype: delete

For any MODIFY changes made, the log displays the LDIF, the modifier’s name, and update time.

# 14/May/2012:10:58:33.566 -0500; conn=33; op=1
# dn: entryUUID=68147342-1f61-3465-8489-3de58c532130+uid=user.2,ou=People,dc=exam-
ple,dc=com
# changetype: modify
# replace: homePhone
# homePhone: +1 003 428 0966
#-
# replace: modifiersName
# modifiersName: uid=admin,dc=example,dc=com
#-
# replace: modifyTimestamp
# modifyTimestamp: 20131010020345.546Z

For any undelete of a soft-deleted entry, the log displays the ds-undelete-from-dn attribute plus the entry unique ID, create time, and creator’s name.

# 14/May/2012:10:59:21.754 -0500; conn=34; op=1
dn: uid=user.2,ou=People,dc=example,dc=com
changetype: add
uid: user.2
ds-undelete-from-dn: entryUUID=68147342-1f61-3465-8489-3de58c532130+uid=user.2,ou=Peo-
ple,dc=example,dc=com
ds-entry-unique-id:: vw1jg801S7GWrTiS3UE5DA==
createTimestamp:: 20131010181148.630Z
creatorsName: uid=admin,dc=example,dc=com

For hard (permanent) deletes of a soft-deleted entry, the log displays the soft-deleted entry DN that was removed.

# 14/May/2012:11:00:14.055 -0500; conn=36; op=1
# dn: entryUUID=68147342-1f61-3465-8489-3de58c532130+uid=user.2,ou=People,dc=exam-
ple,dc=com
# changetype: delete

Configuring the file-based audit log for soft deletes

Configure the file-based audit log for soft deletes.

Steps

  1. Enable the audit log if it is disabled.

    Example:
    $ bin/dsconfig set-log-publisher-prop --publisher-name "File-Based Audit Logger" \
--set enabled:true

  2. View the audit log.

    The soft-delete-entry-audit-behavior property is set to commented by default and provides additional information in comments about the soft-deleted entry that was either created or undeleted.

    Example:
    # 11/May/2012:15:33:17.552 -0500; conn=13; op=1
# ds-soft-delete-entry-dn:entryUUID=54716bfd-fbc4-3108-ac37-
bf6b1b166e37+uid=user.15,ou=People,dc=example,dc=com
dn: uid=user.15,ou=People,dc=example,dc=com
changetype: delete

Changelog

You can configure the changelog to capture soft-delete changes to entries so that external clients, such as PingDataSync server, can access these changes.

The ds-soft-delete-entry attribute represents an entry that has been soft-deleted and is part of the source entry passed into the changelog to indicate the entry has been soft-deleted.

All soft-delete operations appear in the changelog as regular DELETE operations. When a soft delete occurs, the resulting changelog entry includes a ds-soft-delete-entry-dn operational attribute with the value of the soft-deleted entry DN. PingDataSync Server recognizes the ds-soft-delete-entry-dn attribute and does nothing with it.

The changelog backend soft-delete-entry-included-operation property determines whether MODIFY or DELETE operations of soft-deleted entries appear in the changelog. This property is disabled by default.

Configuring soft deletes on the changelog backend

Steps

  1. To configure soft deletes on the changelog backend, run the following.

    $ bin/dsconfig set-backend-prop \
--backend-name changelog \
--set soft-delete-entry-included-operation:delete \
--set soft-delete-entry-included-operation:modify

  2. Run a soft-delete operation on an entry.

  3. To review the changelog for the soft-deleted entry, run the following.

    $ bin/ldapsearch --baseDN cn=changelog \
  "(objectclass=*)" "+"
    Result:
    dn: cn=changelog
subschemaSubentry: cn=schema
entryUUID: 9920f7e9-5a04-392a-82a8-32662d7d3863
ds-entry-checksum: 304022441
dn: changeNumber=1,cn=changelog
targetUniqueId: 94f634df-c90e-39aa-bd4a-9183c29746d0
changeTime: 20120511154141Z
ds-soft-delete-entry-dn: entryUUID=94f634df-c90e-39aa-bd4a-
9183c29746d0+uid=user.9,ou=People,dc=example,dc=com
modifyTimestamp: 20131010020345.546Z
createTimestamp:: 20131010181148.630Z
localCSN: 000001373C900852000000000003
modifiersName: uid=admin,dc=example,dc=com
entry-size-bytes: 298
subschemaSubentry: cn=schema
entryUUID: 459b06c6-89f3-307e-a515-22433eb420b6
createTimestamp: 20120511154141.431Z
modifyTimestamp: 20120511154141.431Z
ds-entry-checksum: 1157320579