PingDirectory

Viewing the LDAP changelog using ldapsearch

Steps

  1. By default, only users with the bypass-acl or bypass-read-acl privilege can access changelog entries. To grant control permission to allow other users to see changelog entries, use a global ACI like the following:

    Example:

    $ bin/dsconfig set-access-control-handler-prop
--add 'global-aci:(targetattr="*||+")(target="ldap:///cn=changelog")(version 3.0;
acl "Access to the changelog backend for the admin account";
allow (read,search,compare) userdn="ldap:///uid=admin,dc=example,dc=com";)'

  2. Use ldapsearch to view the changelog.

    Example:

    $ bin/ldapsearch --hostname ds.example.com --port 636 --useSSL
--bindDN "uid=admin,dc=example,dc=com" --bindPasswordFile admin-password.txt
--baseDN cn=changelog --dontWrap "(objectclass=*)"

    Result:

    dn: cn=changelog
objectClass: top
objectClass: untypedObject
cn: changelog

dn: changeNumber=1,cn=changelog
objectClass: changeLogEntry
objectClass: top
targetDN: uid=user.0,ou=People,dc=example,dc=com
changeType: modify
changes:: cmVwbGFjZTogbW9iaWxlCm1vYmlsZTogKzEgMDIwIDE1NCA5Mzk4Ci0KcmVwbGFjZToga
G9tZVBob25lCmhvbWVQaG9uZTogKzEgMjI1IDIxNiA0OTQ5Ci0KcmVwbGFjZTogZ2l2ZW5OYW1lCmdp
dmVuTmFtZTogQWFyb24KLQpyZXBsYWNlOiBkZXNjcmlwdGlvbgpkZXNjcmlwdGlvbjogdGhpcyBpcyB
0aGUgZGVzY3JpcHRpb24gZm9yIEFhcm9uIEF0cC4KLQpyZXBsYWNlOiBtb2RpZmllcnNOYW1lCm1vZG
lmaWVyc05hbWU6IGNuPURpcmVjdG9yeSBNYW5hZ2VyLGNuPVJvb3QgRE5zLGNuPWNvbmZpZwotCnJlc
GxhY2U6IGRzLXVwZGF0ZS10aW1lCmRzLXVwZGF0ZS10aW1lOjogQUFBQkhQOHpUR0E9Cgo=
changenumber: 1

dn: changeNumber=2,cn=changelog
objectClass: changeLogEntry
objectClass: top
targetDN: dc=example,dc=com
changeType: modify
changes:: cmVwbGFjZTogZHMtc3luYy1zdGF0ZQpkcy1zeW5jLXN0YXRlOiAwMDAwMDExQ0ZGMzM0Q
zYwNDA5MzAwMDAwMDAyCgo=
changenumber: 2