PingDirectory

Viewing the LDAP changelog, change sequence numbers, and monitoring information

View changelog entries using ldapsearch.

All records in the changelog are immediate children of the cn=changelog entry and are named with the changeNumber attribute. Changes are represented in the form documented in the draft-good-ldap-changelog specification with the targetDN attribute providing the distinguished name (DN) of the updated entry, the changeType attribute providing the type of operation (add, delete, modify, or modDN), and the changes attribute providing a base64-encoded representation of the attributes included in the entry (for add operations) or the changes made (for modify operations) in LDIF form. View the changes by decoding the encoded value using the base64 decode utility. The UnboundID LDAP SDK for Java also provides support for parsing changelog entries.

Viewing the LDAP changelog using ldapsearch

Steps

  1. By default, only users with the bypass-acl or bypass-read-acl privilege can access changelog entries. To grant control permission to allow other users to see changelog entries, use a global ACI like the following:

    Example:

    $ bin/dsconfig set-access-control-handler-prop
    --add 'global-aci:(targetattr="*||+")(target="ldap:///cn=changelog")(version 3.0;
    acl "Access to the changelog backend for the admin account";
    allow (read,search,compare) userdn="ldap:///uid=admin,dc=example,dc=com";)'
  2. Use ldapsearch to view the changelog.

    Example:

    $ bin/ldapsearch --hostname ds.example.com --port 636 --useSSL
    --bindDN "uid=admin,dc=example,dc=com" --bindPasswordFile admin-password.txt
    --baseDN cn=changelog --dontWrap "(objectclass=*)"

    Result:

    dn: cn=changelog
    objectClass: top
    objectClass: untypedObject
    cn: changelog
    
    dn: changeNumber=1,cn=changelog
    objectClass: changeLogEntry
    objectClass: top
    targetDN: uid=user.0,ou=People,dc=example,dc=com
    changeType: modify
    changes:: cmVwbGFjZTogbW9iaWxlCm1vYmlsZTogKzEgMDIwIDE1NCA5Mzk4Ci0KcmVwbGFjZToga
    G9tZVBob25lCmhvbWVQaG9uZTogKzEgMjI1IDIxNiA0OTQ5Ci0KcmVwbGFjZTogZ2l2ZW5OYW1lCmdp
    dmVuTmFtZTogQWFyb24KLQpyZXBsYWNlOiBkZXNjcmlwdGlvbgpkZXNjcmlwdGlvbjogdGhpcyBpcyB
    0aGUgZGVzY3JpcHRpb24gZm9yIEFhcm9uIEF0cC4KLQpyZXBsYWNlOiBtb2RpZmllcnNOYW1lCm1vZG
    lmaWVyc05hbWU6IGNuPURpcmVjdG9yeSBNYW5hZ2VyLGNuPVJvb3QgRE5zLGNuPWNvbmZpZwotCnJlc
    GxhY2U6IGRzLXVwZGF0ZS10aW1lCmRzLXVwZGF0ZS10aW1lOjogQUFBQkhQOHpUR0E9Cgo=
    changenumber: 1
    
    dn: changeNumber=2,cn=changelog
    objectClass: changeLogEntry
    objectClass: top
    targetDN: dc=example,dc=com
    changeType: modify
    changes:: cmVwbGFjZTogZHMtc3luYy1zdGF0ZQpkcy1zeW5jLXN0YXRlOiAwMDAwMDExQ0ZGMzM0Q
    zYwNDA5MzAwMDAwMDAyCgo=
    changenumber: 2

Viewing the LDAP change sequence numbers

About this task

The changelog displays the server state information, which is important for failover between servers during synchronization operations. The server state information is exchanged between the servers in the network (LDAP servers and replication servers) as part of the protocol start message. It also helps the client application determine which server is most up-to-date.

Steps

  • Make sure the uid=admin account has the necessary access rights to the cn=changelog backend.

    Example:

    $ bin/ldapsearch --hostname ds.example.com --port 636 --useSSL
    --bindDN "uid=admin,dc=example,dc=com" --bindPasswordFile admin-password.txt
    --baseDN cn=changelog --dontWrap "(objectclass=*)" "+"

    Result:

    dn: cn=changelog
    
    dn: changeNumber=1,cn=changelog
    entry-size-bytes: 182
    targetUniqueId: 68147342-1f61-3465-8489-3de58c532130
    changeTime: 20111023002624Z
    lastReplicaCSN: 0000011D27184D9E303000000001
    replicationCSN: 0000011D27184D9E303000000001
    replicaIdentifier: 12336
    
    dn: changeNumber=2,cn=changelog
    entry-size-bytes: 263
    targetUniqueId: 4e9b7847-edcb-3791-b11b-7505f4a55af4
    changeTime: 20111023002624Z
    lastReplicaCSN: 0000011D27184F2E303000000002
    replicationCSN: 0000011D27184F2E303000000002
    replicaIdentifier: 12336

Viewing LDAP changelog monitoring information

About this task

The changelog contains a monitor entry accessed over LDAP, JConsole, the administrative console, or SNMP. Make sure the account you’re using to request the monitor information has the necessary access rights to the data under cn=monitor. You might need to add a global ACI to grant the appropriate users permission to access monitor data.

Steps

  • Use ldapsearch to view the changelog monitor entry.

    Example:

    $ bin/ldapsearch --hostname ds.example.com --port 636 --useSSL
    --bindDN "uid=admin,dc=example,dc=com" --bindPasswordFile admin-password.txt
    --baseDN cn=changelog,cn=monitor "(objectclass=*)"

    Result:

    dn: cn=changelog,cn=monitor
    objectClass: top
    objectClass: ds-monitor-entry
    objectClass: extensibleObject
    cn: changelog
    changelog: cn=changelog
    firstchangenumber: 1
    lastchangenumber: 8
    lastpurgedchangenumber: 0
    firstReplicaChange: 16225:0000011D0205237F3F6100000001:5
    firstReplicaChange: 16531:0000011CFF334C60409300000002:1
    lastReplicaChange: 16225:0000011D02054E8B3F6100000002:7
    lastReplicaChange: 16531:0000011CFF334C60409300000002:1
    oldest-change-time: 20081015063104Z
    ...(more data)...