Viewing the LDAP changelog, change sequence numbers, and monitoring information
View changelog entries using ldapsearch
.
All records in the changelog are immediate children of the cn=changelog
entry and are named with the changeNumber
attribute. Changes are represented in the form documented in the draft-good-ldap-changelog
specification with the targetDN
attribute providing the distinguished name (DN) of the updated entry, the changeType
attribute providing the type of operation (add
, delete
, modify
, or modDN
), and the changes attribute providing a base64-encoded representation of the attributes included in the entry (for add
operations) or the changes made (for modify
operations) in LDIF form. View the changes by decoding the encoded value using the base64
decode
utility. The UnboundID LDAP SDK for Java also provides support for parsing changelog entries.
Viewing the LDAP changelog using ldapsearch
Steps
-
By default, only users with the
bypass-acl
orbypass-read-acl
privilege can access changelog entries. To grant control permission to allow other users to see changelog entries, use a global ACI like the following:Example:
$ bin/dsconfig set-access-control-handler-prop --add 'global-aci:(targetattr="*||+")(target="ldap:///cn=changelog")(version 3.0; acl "Access to the changelog backend for the admin account"; allow (read,search,compare) userdn="ldap:///uid=admin,dc=example,dc=com";)'
-
Use
ldapsearch
to view the changelog.Example:
$ bin/ldapsearch --hostname ds.example.com --port 636 --useSSL --bindDN "uid=admin,dc=example,dc=com" --bindPasswordFile admin-password.txt --baseDN cn=changelog --dontWrap "(objectclass=*)"
Result:
dn: cn=changelog objectClass: top objectClass: untypedObject cn: changelog dn: changeNumber=1,cn=changelog objectClass: changeLogEntry objectClass: top targetDN: uid=user.0,ou=People,dc=example,dc=com changeType: modify changes:: cmVwbGFjZTogbW9iaWxlCm1vYmlsZTogKzEgMDIwIDE1NCA5Mzk4Ci0KcmVwbGFjZToga G9tZVBob25lCmhvbWVQaG9uZTogKzEgMjI1IDIxNiA0OTQ5Ci0KcmVwbGFjZTogZ2l2ZW5OYW1lCmdp dmVuTmFtZTogQWFyb24KLQpyZXBsYWNlOiBkZXNjcmlwdGlvbgpkZXNjcmlwdGlvbjogdGhpcyBpcyB 0aGUgZGVzY3JpcHRpb24gZm9yIEFhcm9uIEF0cC4KLQpyZXBsYWNlOiBtb2RpZmllcnNOYW1lCm1vZG lmaWVyc05hbWU6IGNuPURpcmVjdG9yeSBNYW5hZ2VyLGNuPVJvb3QgRE5zLGNuPWNvbmZpZwotCnJlc GxhY2U6IGRzLXVwZGF0ZS10aW1lCmRzLXVwZGF0ZS10aW1lOjogQUFBQkhQOHpUR0E9Cgo= changenumber: 1 dn: changeNumber=2,cn=changelog objectClass: changeLogEntry objectClass: top targetDN: dc=example,dc=com changeType: modify changes:: cmVwbGFjZTogZHMtc3luYy1zdGF0ZQpkcy1zeW5jLXN0YXRlOiAwMDAwMDExQ0ZGMzM0Q zYwNDA5MzAwMDAwMDAyCgo= changenumber: 2
Viewing the LDAP change sequence numbers
About this task
The changelog displays the server state information, which is important for failover between servers during synchronization operations. The server state information is exchanged between the servers in the network (LDAP servers and replication servers) as part of the protocol start message. It also helps the client application determine which server is most up-to-date.
Steps
-
Make sure the
uid=admin
account has the necessary access rights to thecn=changelog
backend.Example:
$ bin/ldapsearch --hostname ds.example.com --port 636 --useSSL --bindDN "uid=admin,dc=example,dc=com" --bindPasswordFile admin-password.txt --baseDN cn=changelog --dontWrap "(objectclass=*)" "+"
Result:
dn: cn=changelog dn: changeNumber=1,cn=changelog entry-size-bytes: 182 targetUniqueId: 68147342-1f61-3465-8489-3de58c532130 changeTime: 20111023002624Z lastReplicaCSN: 0000011D27184D9E303000000001 replicationCSN: 0000011D27184D9E303000000001 replicaIdentifier: 12336 dn: changeNumber=2,cn=changelog entry-size-bytes: 263 targetUniqueId: 4e9b7847-edcb-3791-b11b-7505f4a55af4 changeTime: 20111023002624Z lastReplicaCSN: 0000011D27184F2E303000000002 replicationCSN: 0000011D27184F2E303000000002 replicaIdentifier: 12336
Viewing LDAP changelog monitoring information
About this task
The changelog contains a monitor entry accessed over LDAP, JConsole, the administrative console, or SNMP. Make sure the account you’re using to request the monitor information has the necessary access rights to the data under cn=monitor
. You might need to add a global ACI to grant the appropriate users permission to access monitor data.
Steps
-
Use
ldapsearch
to view the changelog monitor entry.Example:
$ bin/ldapsearch --hostname ds.example.com --port 636 --useSSL --bindDN "uid=admin,dc=example,dc=com" --bindPasswordFile admin-password.txt --baseDN cn=changelog,cn=monitor "(objectclass=*)"
Result:
dn: cn=changelog,cn=monitor objectClass: top objectClass: ds-monitor-entry objectClass: extensibleObject cn: changelog changelog: cn=changelog firstchangenumber: 1 lastchangenumber: 8 lastpurgedchangenumber: 0 firstReplicaChange: 16225:0000011D0205237F3F6100000001:5 firstReplicaChange: 16531:0000011CFF334C60409300000002:1 lastReplicaChange: 16225:0000011D02054E8B3F6100000002:7 lastReplicaChange: 16531:0000011CFF334C60409300000002:1 oldest-change-time: 20081015063104Z ...(more data)...