Monitoring soft deletes
The server provides monitoring entries and logs to track all soft delete operations. The access and debug logs do not have any options specific for soft deletes.
New monitor entries
Two new monitor entries are present for a backend monitor entry.
Administrators see the following additional monitor entries on cn=userRoot
Backend,cn=monitor:
ds-soft-delete-entry-operations-count-
Displays the number of soft deletes performed on the backend since server startup.
ds-undelete-operations-count-
Displays the number of undeletes performed on the backend since server startup.
ds-backend-soft-deleted-entry-count-
Displays the current number of soft-deleted entries in the database.
ds-auto-purged-soft-deleted-entry-count-
Displays the current number of soft-deleted entries purged since the backend or server was restarted.
Monitoring soft deletes
Monitor soft deletes using the ldapsearch command.
Steps
-
Run
ldapsearchon thecn=userRoot Backend,cn=monitorbranch using a search criteria targeting theds-backend-monitor-entryobject class.Example:
$ bin/ldapsearch --baseDN "cn=userRoot Backend,cn=monitor" \ --searchScope sub "(objectclass=ds-backend-monitor-entry)"Result:
dn: cn=userRoot Backend,cn=monitor objectClass: top objectClass: ds-monitor-entry objectClass: ds-backend-monitor-entry objectClass: extensibleObject cn: userRoot Backend ds-backend-id: userRoot ds-backend-base-dn: dc=example,dc=com ds-backend-is-private: FALSE ds-backend-entry-count: 200001 ds-backend-soft-deleted-entry-count: 1000 ds-soft-delete-operations-count: 40 ds-undelete-operations-count: 20 ds-auto-purged-soft-deleted-entry-count: 0 ds-base-dn-entry-count: 200001 dc=example,dc=com ds-backend-writability-mode: enabled
Access logs
The access log records the LDAP operations corresponding to soft delete and undelete for DELETE, SEARCH, MODIFY, and ADD operations with the related soft-deleted values.
The access log does not require any configuration for soft delete.
DELETE(soft-delete) operations-
The access log displays the following.
[14/May/2012:09:40:16.942 -0500] DELETE RESULT conn=18 op=1 msgID=2 dn="uid=user.1,ou=People,dc=example,dc=com" resultCode=0 etime=30.367 softDeleteEntryDN="entryUUID=4e9b7847-edcb-3791-b11b-7505f4a55af4+uid=user.1, ou=People,dc=example,dc=com"
SEARCHoperations for soft-deleted entries-
The access log displays the following.
[14/May/2012:09:40:52.320 -0500] SEARCH RESULT conn=19 op=1 msgID=2 base="dc=example,dc=com" scope=2 filter="(objectclass=ds-soft-delete-entry)" attrs="ALL" resultCode=0 etime=1.631 entriesReturned=1
MODIFYoperations of soft-deleted entries-
The access log displays the following.
[14/May/2012:09:42:43.679 -0500] MODIFY RESULT conn=20 op=1 msgID=1 dn="entryUUID=4e9b7847-edcb-3791-b11b-7505f4a55af4+uid=user.1,ou=People,dc=exam- ple,dc=com" resultCode=0 etime=2.639 changeToSoftDeletedEntry=true
ADD(soft-undelete) operations-
The access log displays the following.
[14/May/2012:09:58:16.728 -0500] ADD RESULT conn=25 op=1 msgID=1 dn="uid=user.0,ou=People,dc=example,dc=com" resultCode=0 etime=22.700 undeleteFromDN="entryUUID=ad55a34a-763f-358f-93f9-da86f9ecd9e4+uid=user.0, ou=People,dc=example,dc=com"
Audit logs
The audit log captures any MODIFY and DELETE operations of soft-deleted entries.
These changes are recorded as fully commented-out audit log entries. The audit log does not require any configuration for soft deletes.
For any soft-deleted entry, the audit log entry displays the ds-soft-delete-entry-dn property and its soft-deleted entry distinguished name (DN).
# 14/May/2012:10:57:09.054 -0500; conn=30; op=1 # ds-soft-delete-entry-dn: entryUUID=68147342-1f61-3465-8489- 3de58c532130+uid=user.2,ou=People,dc=example,dc=com dn: uid=user.2,ou=People,dc=example,dc=com changetype: delete
For any MODIFY changes made, the log displays the LDIF, the modifier’s name, and update time.
# 14/May/2012:10:58:33.566 -0500; conn=33; op=1 # dn: entryUUID=68147342-1f61-3465-8489-3de58c532130+uid=user.2,ou=People,dc=exam- ple,dc=com # changetype: modify # replace: homePhone # homePhone: +1 003 428 0966 #- # replace: modifiersName # modifiersName: uid=admin,dc=example,dc=com #- # replace: modifyTimestamp # modifyTimestamp: 20131010020345.546Z
For any undelete of a soft-deleted entry, the log displays the ds-undelete-from-dn attribute plus the entry unique ID, create time, and creator’s name.
# 14/May/2012:10:59:21.754 -0500; conn=34; op=1 dn: uid=user.2,ou=People,dc=example,dc=com changetype: add uid: user.2 ds-undelete-from-dn: entryUUID=68147342-1f61-3465-8489-3de58c532130+uid=user.2,ou=Peo- ple,dc=example,dc=com ds-entry-unique-id:: vw1jg801S7GWrTiS3UE5DA== createTimestamp:: 20131010181148.630Z creatorsName: uid=admin,dc=example,dc=com
For hard (permanent) deletes of a soft-deleted entry, the log displays the soft-deleted entry DN that was removed.
# 14/May/2012:11:00:14.055 -0500; conn=36; op=1 # dn: entryUUID=68147342-1f61-3465-8489-3de58c532130+uid=user.2,ou=People,dc=exam- ple,dc=com # changetype: delete
Configuring the file-based audit log for soft deletes
Configure the file-based audit log for soft deletes.
Steps
-
Enable the audit log if it is disabled.
Example:
$ bin/dsconfig set-log-publisher-prop --publisher-name "File-Based Audit Logger" \ --set enabled:true -
View the audit log.
The
soft-delete-entry-audit-behaviorproperty is set tocommentedby default and provides additional information in comments about the soft-deleted entry that was either created or undeleted.Example:
# 11/May/2012:15:33:17.552 -0500; conn=13; op=1 # ds-soft-delete-entry-dn:entryUUID=54716bfd-fbc4-3108-ac37- bf6b1b166e37+uid=user.15,ou=People,dc=example,dc=com dn: uid=user.15,ou=People,dc=example,dc=com changetype: delete
Changelog
You can configure the changelog to capture soft-delete changes to entries so that external clients, such as PingDataSync server, can access these changes.
The ds-soft-delete-entry attribute represents an entry that has been soft-deleted and is part of the source entry passed into the changelog to indicate the entry has been soft-deleted.
All soft-delete operations appear in the changelog as regular DELETE operations. When a soft delete occurs, the resulting changelog entry includes a ds-soft-delete-entry-dn operational attribute with the value of the soft-deleted entry DN. PingDataSync Server recognizes the ds-soft-delete-entry-dn attribute and does nothing with it.
The changelog backend soft-delete-entry-included-operation property determines whether MODIFY or DELETE operations of soft-deleted entries appear in the changelog. This property is disabled by default.
Configuring soft deletes on the changelog backend
Steps
-
To configure soft deletes on the changelog backend, run the following.
$ bin/dsconfig set-backend-prop \ --backend-name changelog \ --set soft-delete-entry-included-operation:delete \ --set soft-delete-entry-included-operation:modify -
Run a soft-delete operation on an entry.
-
To review the changelog for the soft-deleted entry, run the following.
$ bin/ldapsearch --baseDN cn=changelog \ "(objectclass=*)" "+"Result:
dn: cn=changelog subschemaSubentry: cn=schema entryUUID: 9920f7e9-5a04-392a-82a8-32662d7d3863 ds-entry-checksum: 304022441 dn: changeNumber=1,cn=changelog targetUniqueId: 94f634df-c90e-39aa-bd4a-9183c29746d0 changeTime: 20120511154141Z ds-soft-delete-entry-dn: entryUUID=94f634df-c90e-39aa-bd4a- 9183c29746d0+uid=user.9,ou=People,dc=example,dc=com modifyTimestamp: 20131010020345.546Z createTimestamp:: 20131010181148.630Z localCSN: 000001373C900852000000000003 modifiersName: uid=admin,dc=example,dc=com entry-size-bytes: 298 subschemaSubentry: cn=schema entryUUID: 459b06c6-89f3-307e-a515-22433eb420b6 createTimestamp: 20120511154141.431Z modifyTimestamp: 20120511154141.431Z ds-entry-checksum: 1157320579