PingDirectory

Monitoring soft deletes

The server provides monitoring entries and logs to track all soft delete operations. The access and debug logs do not have any options specific for soft deletes.

New monitor entries

Two new monitor entries are present for a backend monitor entry.

Administrators see the following additional monitor entries on cn=userRoot Backend,cn=monitor:

ds-soft-delete-entry-operations-count

Displays the number of soft deletes performed on the backend since server startup.

ds-undelete-operations-count

Displays the number of undeletes performed on the backend since server startup.

ds-backend-soft-deleted-entry-count

Displays the current number of soft-deleted entries in the database.

ds-auto-purged-soft-deleted-entry-count

Displays the current number of soft-deleted entries purged since the backend or server was restarted.

Monitoring soft deletes

Monitor soft deletes using the ldapsearch command.

Steps

  • Run ldapsearch on the cn=userRoot Backend,cn=monitor branch using a search criteria targeting the ds-backend-monitor-entry object class.

    Example:
    $ bin/ldapsearch --baseDN "cn=userRoot Backend,cn=monitor" \
      --searchScope sub "(objectclass=ds-backend-monitor-entry)"
    Result:
    dn: cn=userRoot Backend,cn=monitor
    objectClass: top
    objectClass: ds-monitor-entry
    objectClass: ds-backend-monitor-entry
    objectClass: extensibleObject
    cn: userRoot Backend
    ds-backend-id: userRoot
    ds-backend-base-dn: dc=example,dc=com
    ds-backend-is-private: FALSE
    ds-backend-entry-count: 200001
    ds-backend-soft-deleted-entry-count: 1000
    ds-soft-delete-operations-count: 40
    ds-undelete-operations-count: 20
    ds-auto-purged-soft-deleted-entry-count: 0
    ds-base-dn-entry-count: 200001 dc=example,dc=com
    ds-backend-writability-mode: enabled

Access logs

The access log records the LDAP operations corresponding to soft delete and undelete for DELETE, SEARCH, MODIFY, and ADD operations with the related soft-deleted values.

The access log does not require any configuration for soft delete.

DELETE (soft-delete) operations

The access log displays the following.

[14/May/2012:09:40:16.942 -0500] DELETE RESULT conn=18 op=1 msgID=2
dn="uid=user.1,ou=People,dc=example,dc=com" resultCode=0 etime=30.367
softDeleteEntryDN="entryUUID=4e9b7847-edcb-3791-b11b-7505f4a55af4+uid=user.1,
ou=People,dc=example,dc=com"
SEARCH operations for soft-deleted entries

The access log displays the following.

[14/May/2012:09:40:52.320 -0500] SEARCH RESULT conn=19 op=1 msgID=2
base="dc=example,dc=com" scope=2 filter="(objectclass=ds-soft-delete-entry)"
attrs="ALL" resultCode=0 etime=1.631 entriesReturned=1
MODIFY operations of soft-deleted entries

The access log displays the following.

[14/May/2012:09:42:43.679 -0500] MODIFY RESULT conn=20 op=1 msgID=1
dn="entryUUID=4e9b7847-edcb-3791-b11b-7505f4a55af4+uid=user.1,ou=People,dc=exam-
ple,dc=com" resultCode=0 etime=2.639 changeToSoftDeletedEntry=true
ADD (soft-undelete) operations

The access log displays the following.

[14/May/2012:09:58:16.728 -0500] ADD RESULT conn=25 op=1 msgID=1
dn="uid=user.0,ou=People,dc=example,dc=com" resultCode=0 etime=22.700
undeleteFromDN="entryUUID=ad55a34a-763f-358f-93f9-da86f9ecd9e4+uid=user.0,
ou=People,dc=example,dc=com"

Audit logs

The audit log captures any MODIFY and DELETE operations of soft-deleted entries.

These changes are recorded as fully commented-out audit log entries. The audit log does not require any configuration for soft deletes.

For any soft-deleted entry, the audit log entry displays the ds-soft-delete-entry-dn property and its soft-deleted entry distinguished name (DN).

# 14/May/2012:10:57:09.054 -0500; conn=30; op=1
# ds-soft-delete-entry-dn: entryUUID=68147342-1f61-3465-8489-
3de58c532130+uid=user.2,ou=People,dc=example,dc=com
dn: uid=user.2,ou=People,dc=example,dc=com
changetype: delete

For any MODIFY changes made, the log displays the LDIF, the modifier’s name, and update time.

# 14/May/2012:10:58:33.566 -0500; conn=33; op=1
# dn: entryUUID=68147342-1f61-3465-8489-3de58c532130+uid=user.2,ou=People,dc=exam-
ple,dc=com
# changetype: modify
# replace: homePhone
# homePhone: +1 003 428 0966
#-
# replace: modifiersName
# modifiersName: uid=admin,dc=example,dc=com
#-
# replace: modifyTimestamp
# modifyTimestamp: 20131010020345.546Z

For any undelete of a soft-deleted entry, the log displays the ds-undelete-from-dn attribute plus the entry unique ID, create time, and creator’s name.

# 14/May/2012:10:59:21.754 -0500; conn=34; op=1
dn: uid=user.2,ou=People,dc=example,dc=com
changetype: add
uid: user.2
ds-undelete-from-dn: entryUUID=68147342-1f61-3465-8489-3de58c532130+uid=user.2,ou=Peo-
ple,dc=example,dc=com
ds-entry-unique-id:: vw1jg801S7GWrTiS3UE5DA==
createTimestamp:: 20131010181148.630Z
creatorsName: uid=admin,dc=example,dc=com

For hard (permanent) deletes of a soft-deleted entry, the log displays the soft-deleted entry DN that was removed.

# 14/May/2012:11:00:14.055 -0500; conn=36; op=1
# dn: entryUUID=68147342-1f61-3465-8489-3de58c532130+uid=user.2,ou=People,dc=exam-
ple,dc=com
# changetype: delete

Configuring the file-based audit log for soft deletes

Configure the file-based audit log for soft deletes.

Steps

  1. Enable the audit log if it is disabled.

    Example:
    $ bin/dsconfig set-log-publisher-prop --publisher-name "File-Based Audit Logger" \
    --set enabled:true
  2. View the audit log.

    The soft-delete-entry-audit-behavior property is set to commented by default and provides additional information in comments about the soft-deleted entry that was either created or undeleted.

    Example:
    # 11/May/2012:15:33:17.552 -0500; conn=13; op=1
    # ds-soft-delete-entry-dn:entryUUID=54716bfd-fbc4-3108-ac37-
    bf6b1b166e37+uid=user.15,ou=People,dc=example,dc=com
    dn: uid=user.15,ou=People,dc=example,dc=com
    changetype: delete

Changelog

You can configure the changelog to capture soft-delete changes to entries so that external clients, such as PingDataSync server, can access these changes.

The ds-soft-delete-entry attribute represents an entry that has been soft-deleted and is part of the source entry passed into the changelog to indicate the entry has been soft-deleted.

All soft-delete operations appear in the changelog as regular DELETE operations. When a soft delete occurs, the resulting changelog entry includes a ds-soft-delete-entry-dn operational attribute with the value of the soft-deleted entry DN. PingDataSync Server recognizes the ds-soft-delete-entry-dn attribute and does nothing with it.

The changelog backend soft-delete-entry-included-operation property determines whether MODIFY or DELETE operations of soft-deleted entries appear in the changelog. This property is disabled by default.

Configuring soft deletes on the changelog backend

Steps

  1. To configure soft deletes on the changelog backend, run the following.

    $ bin/dsconfig set-backend-prop \
    --backend-name changelog \
    --set soft-delete-entry-included-operation:delete \
    --set soft-delete-entry-included-operation:modify
  2. Run a soft-delete operation on an entry.

  3. To review the changelog for the soft-deleted entry, run the following.

    $ bin/ldapsearch --baseDN cn=changelog \
      "(objectclass=*)" "+"
    Result:
    dn: cn=changelog
    subschemaSubentry: cn=schema
    entryUUID: 9920f7e9-5a04-392a-82a8-32662d7d3863
    ds-entry-checksum: 304022441
    dn: changeNumber=1,cn=changelog
    targetUniqueId: 94f634df-c90e-39aa-bd4a-9183c29746d0
    changeTime: 20120511154141Z
    ds-soft-delete-entry-dn: entryUUID=94f634df-c90e-39aa-bd4a-
    9183c29746d0+uid=user.9,ou=People,dc=example,dc=com
    modifyTimestamp: 20131010020345.546Z
    createTimestamp:: 20131010181148.630Z
    localCSN: 000001373C900852000000000003
    modifiersName: uid=admin,dc=example,dc=com
    entry-size-bytes: 298
    subschemaSubentry: cn=schema
    entryUUID: 459b06c6-89f3-307e-a515-22433eb420b6
    createTimestamp: 20120511154141.431Z
    modifyTimestamp: 20120511154141.431Z
    ds-entry-checksum: 1157320579