Change logging
The PingDirectory server can be configured to maintain an LDAP-accessible changelog with a record of changes that have been processed in the server.
It is based on the specification in draft-good-ldap-changelog, but includes several proprietary enhancements that provide access to additional useful information. This can include:
-
The values of updated attributes as they appeared before and after the change
-
The values of a configured set of key attributes from the entry, even if they weren’t altered by the change
-
The content of an entry that was deleted
-
The values of virtual attributes from the entry
The changelog can be useful for auditing changes that have been processed in the server, as well as for synchronizing changes to other systems. It is disabled by default, but it can be enabled with the following configuration change:
dsconfig set-backend-prop \ --backend-name changelog \ --set enabled:true
Additional properties that you might want to use to customize the changelog configuration include the following.
Property | Description |
---|---|
|
Specifies which attributes are included in changelog entries for add and modify operations. If this is specified, then only those attributes are included, even if the operation added or updated other attributes. |
|
Specifies which attributes should be excluded from changelog entries for add and modify operations. By default, the changelog excludes several attributes that might contain sensitive information that is unlikely to be required externally. However, encoded passwords are not excluded by default because it might be necessary to synchronize them to other systems. |
|
Specifies which attributes should be included in changelog entries for delete operations. By default, all user attributes are included, but operational attributes are not. |
|
Specifies which attributes should be excluded from changelog entries for delete operations. |
|
An optional set of attributes that should be included in changelog entries, even if they were not changed in the course of processing the operation. |
|
Indicates that the changelog entry should include up to the specified number of before and after values for the updated attributes. This is zero by default to indicate that before and after values should not be included, but if it is changed to a nonzero value, then before and after values are included for any changed attributes whose value count is below this limit. |
|
Indicates whether to log modifications in reversible form, which contains enough information to allow the change to be reverted. By default, changes are logged using the set of modifications as the client requested them. |
|
Indicates which types of virtual attributes should be included in changelog entries. This might include zero or more of the following:
|
|
Indicates whether the server should pare down the contents of each changelog entry based on the requester’s access control rights for the updated entry. |
|
Indicates whether to report information about any attributes that were excluded from the changelog entry on the basis of the
|
|
Indicates whether to include operations that target soft-deleted entries. By default, operations that target soft-deleted entries, but they can be included with one or more of the following values:
|
By default, the server does not include any access control rules that grant users access to retrieve changelog entries. As such, only users with the bypass-acl
or bypass-read-acl
can see them. If you want to grant access to other users who are subject to access control evaluation, you must do so using global ACIs.