Monitoring soft deletes
The server provides monitoring entries and logs to track all soft delete operations. The access and debug logs do not have any options specific for soft deletes.
New monitor entries
Two new monitor entries are present for a backend monitor entry.
Administrators see the following additional monitor entries on cn=userRoot
Backend,cn=monitor
:
ds-soft-delete-entry-operations-count
-
Displays the number of soft deletes performed on the backend since server startup.
ds-undelete-operations-count
-
Displays the number of undeletes performed on the backend since server startup.
ds-backend-soft-deleted-entry-count
-
Displays the current number of soft-deleted entries in the database.
ds-auto-purged-soft-deleted-entry-count
-
Displays the current number of soft-deleted entries purged since the backend or server was restarted.
Monitoring soft deletes
Monitor soft deletes using the ldapsearch
command.
Steps
-
Run
ldapsearch
on thecn=userRoot Backend,cn=monitor
branch using a search criteria targeting theds-backend-monitor-entry
object class.Example:
$ bin/ldapsearch --baseDN "cn=userRoot Backend,cn=monitor" \ --searchScope sub "(objectclass=ds-backend-monitor-entry)"
Result:
dn: cn=userRoot Backend,cn=monitor objectClass: top objectClass: ds-monitor-entry objectClass: ds-backend-monitor-entry objectClass: extensibleObject cn: userRoot Backend ds-backend-id: userRoot ds-backend-base-dn: dc=example,dc=com ds-backend-is-private: FALSE ds-backend-entry-count: 200001 ds-backend-soft-deleted-entry-count: 1000 ds-soft-delete-operations-count: 40 ds-undelete-operations-count: 20 ds-auto-purged-soft-deleted-entry-count: 0 ds-base-dn-entry-count: 200001 dc=example,dc=com ds-backend-writability-mode: enabled
Access logs
The access log records the LDAP operations corresponding to soft delete and undelete for DELETE
, SEARCH
, MODIFY
, and ADD
operations with the related soft-deleted values.
The access log does not require any configuration for soft delete.
DELETE
(soft-delete) operations-
The access log displays the following.
[14/May/2012:09:40:16.942 -0500] DELETE RESULT conn=18 op=1 msgID=2 dn="uid=user.1,ou=People,dc=example,dc=com" resultCode=0 etime=30.367 softDeleteEntryDN="entryUUID=4e9b7847-edcb-3791-b11b-7505f4a55af4+uid=user.1, ou=People,dc=example,dc=com"
SEARCH
operations for soft-deleted entries-
The access log displays the following.
[14/May/2012:09:40:52.320 -0500] SEARCH RESULT conn=19 op=1 msgID=2 base="dc=example,dc=com" scope=2 filter="(objectclass=ds-soft-delete-entry)" attrs="ALL" resultCode=0 etime=1.631 entriesReturned=1
MODIFY
operations of soft-deleted entries-
The access log displays the following.
[14/May/2012:09:42:43.679 -0500] MODIFY RESULT conn=20 op=1 msgID=1 dn="entryUUID=4e9b7847-edcb-3791-b11b-7505f4a55af4+uid=user.1,ou=People,dc=exam- ple,dc=com" resultCode=0 etime=2.639 changeToSoftDeletedEntry=true
ADD
(soft-undelete) operations-
The access log displays the following.
[14/May/2012:09:58:16.728 -0500] ADD RESULT conn=25 op=1 msgID=1 dn="uid=user.0,ou=People,dc=example,dc=com" resultCode=0 etime=22.700 undeleteFromDN="entryUUID=ad55a34a-763f-358f-93f9-da86f9ecd9e4+uid=user.0, ou=People,dc=example,dc=com"
Audit logs
The audit log captures any MODIFY
and DELETE
operations of soft-deleted entries.
These changes are recorded as fully commented-out audit log entries. The audit log does not require any configuration for soft deletes.
For any soft-deleted entry, the audit log entry displays the ds-soft-delete-entry-dn
property and its soft-deleted entry distinguished name (DN).
# 14/May/2012:10:57:09.054 -0500; conn=30; op=1 # ds-soft-delete-entry-dn: entryUUID=68147342-1f61-3465-8489- 3de58c532130+uid=user.2,ou=People,dc=example,dc=com dn: uid=user.2,ou=People,dc=example,dc=com changetype: delete
For any MODIFY
changes made, the log displays the LDIF, the modifier’s name, and update time.
# 14/May/2012:10:58:33.566 -0500; conn=33; op=1 # dn: entryUUID=68147342-1f61-3465-8489-3de58c532130+uid=user.2,ou=People,dc=exam- ple,dc=com # changetype: modify # replace: homePhone # homePhone: +1 003 428 0966 #- # replace: modifiersName # modifiersName: uid=admin,dc=example,dc=com #- # replace: modifyTimestamp # modifyTimestamp: 20131010020345.546Z
For any undelete of a soft-deleted entry, the log displays the ds-undelete-from-dn
attribute plus the entry unique ID, create time, and creator’s name.
# 14/May/2012:10:59:21.754 -0500; conn=34; op=1 dn: uid=user.2,ou=People,dc=example,dc=com changetype: add uid: user.2 ds-undelete-from-dn: entryUUID=68147342-1f61-3465-8489-3de58c532130+uid=user.2,ou=Peo- ple,dc=example,dc=com ds-entry-unique-id:: vw1jg801S7GWrTiS3UE5DA== createTimestamp:: 20131010181148.630Z creatorsName: uid=admin,dc=example,dc=com
For hard (permanent) deletes of a soft-deleted entry, the log displays the soft-deleted entry DN that was removed.
# 14/May/2012:11:00:14.055 -0500; conn=36; op=1 # dn: entryUUID=68147342-1f61-3465-8489-3de58c532130+uid=user.2,ou=People,dc=exam- ple,dc=com # changetype: delete
Configuring the file-based audit log for soft deletes
Configure the file-based audit log for soft deletes.
Steps
-
Enable the audit log if it is disabled.
Example:
$ bin/dsconfig set-log-publisher-prop --publisher-name "File-Based Audit Logger" \ --set enabled:true
-
View the audit log.
The
soft-delete-entry-audit-behavior
property is set tocommented
by default and provides additional information in comments about the soft-deleted entry that was either created or undeleted.Example:
# 11/May/2012:15:33:17.552 -0500; conn=13; op=1 # ds-soft-delete-entry-dn:entryUUID=54716bfd-fbc4-3108-ac37- bf6b1b166e37+uid=user.15,ou=People,dc=example,dc=com dn: uid=user.15,ou=People,dc=example,dc=com changetype: delete
Changelog
You can configure the changelog to capture soft-delete changes to entries so that external clients, such as PingDataSync server, can access these changes.
The ds-soft-delete-entry
attribute represents an entry that has been soft-deleted and is part of the source entry passed into the changelog to indicate the entry has been soft-deleted.
All soft-delete operations appear in the changelog as regular DELETE operations. When a soft delete occurs, the resulting changelog entry includes a ds-soft-delete-entry-dn
operational attribute with the value of the soft-deleted entry DN. PingDataSync Server recognizes the ds-soft-delete-entry-dn
attribute and does nothing with it.
The changelog backend soft-delete-entry-included-operation
property determines whether MODIFY or DELETE operations of soft-deleted entries appear in the changelog. This property is disabled by default.
Configuring soft deletes on the changelog backend
Steps
-
To configure soft deletes on the changelog backend, run the following.
$ bin/dsconfig set-backend-prop \ --backend-name changelog \ --set soft-delete-entry-included-operation:delete \ --set soft-delete-entry-included-operation:modify
-
Run a soft-delete operation on an entry.
-
To review the changelog for the soft-deleted entry, run the following.
$ bin/ldapsearch --baseDN cn=changelog \ "(objectclass=*)" "+"
Result:
dn: cn=changelog subschemaSubentry: cn=schema entryUUID: 9920f7e9-5a04-392a-82a8-32662d7d3863 ds-entry-checksum: 304022441 dn: changeNumber=1,cn=changelog targetUniqueId: 94f634df-c90e-39aa-bd4a-9183c29746d0 changeTime: 20120511154141Z ds-soft-delete-entry-dn: entryUUID=94f634df-c90e-39aa-bd4a- 9183c29746d0+uid=user.9,ou=People,dc=example,dc=com modifyTimestamp: 20131010020345.546Z createTimestamp:: 20131010181148.630Z localCSN: 000001373C900852000000000003 modifiersName: uid=admin,dc=example,dc=com entry-size-bytes: 298 subschemaSubentry: cn=schema entryUUID: 459b06c6-89f3-307e-a515-22433eb420b6 createTimestamp: 20120511154141.431Z modifyTimestamp: 20120511154141.431Z ds-entry-checksum: 1157320579