PingDirectory

Viewing the LDAP changelog, change sequence numbers, and monitoring information

View changelog entries using ldapsearch.

All records in the changelog are immediate children of the cn=changelog entry and are named with the changeNumber attribute. Changes are represented in the form documented in the draft-good-ldap-changelog specification with the targetDN attribute providing the distinguished name (DN) of the updated entry, the changeType attribute providing the type of operation (add, delete, modify, or modDN), and the changes attribute providing a base64-encoded representation of the attributes included in the entry (for add operations) or the changes made (for modify operations) in LDIF form. View the changes by decoding the encoded value using the base64 decode utility. The UnboundID LDAP SDK for Java also provides support for parsing changelog entries.

Viewing the LDAP changelog using ldapsearch

Steps

  1. By default, only users with the bypass-acl or bypass-read-acl privilege can access changelog entries. To grant control permission to allow other users to see changelog entries, use a global ACI like the following:

    Example:

    $ bin/dsconfig set-access-control-handler-prop
--add 'global-aci:(targetattr="*||+")(target="ldap:///cn=changelog")(version 3.0;
acl "Access to the changelog backend for the admin account";
allow (read,search,compare) userdn="ldap:///uid=admin,dc=example,dc=com";)'

  2. Use ldapsearch to view the changelog.

    Example:

    $ bin/ldapsearch --hostname ds.example.com --port 636 --useSSL
--bindDN "uid=admin,dc=example,dc=com" --bindPasswordFile admin-password.txt
--baseDN cn=changelog --dontWrap "(objectclass=*)"

    Result:

    dn: cn=changelog
objectClass: top
objectClass: untypedObject
cn: changelog

dn: changeNumber=1,cn=changelog
objectClass: changeLogEntry
objectClass: top
targetDN: uid=user.0,ou=People,dc=example,dc=com
changeType: modify
changes:: cmVwbGFjZTogbW9iaWxlCm1vYmlsZTogKzEgMDIwIDE1NCA5Mzk4Ci0KcmVwbGFjZToga
G9tZVBob25lCmhvbWVQaG9uZTogKzEgMjI1IDIxNiA0OTQ5Ci0KcmVwbGFjZTogZ2l2ZW5OYW1lCmdp
dmVuTmFtZTogQWFyb24KLQpyZXBsYWNlOiBkZXNjcmlwdGlvbgpkZXNjcmlwdGlvbjogdGhpcyBpcyB
0aGUgZGVzY3JpcHRpb24gZm9yIEFhcm9uIEF0cC4KLQpyZXBsYWNlOiBtb2RpZmllcnNOYW1lCm1vZG
lmaWVyc05hbWU6IGNuPURpcmVjdG9yeSBNYW5hZ2VyLGNuPVJvb3QgRE5zLGNuPWNvbmZpZwotCnJlc
GxhY2U6IGRzLXVwZGF0ZS10aW1lCmRzLXVwZGF0ZS10aW1lOjogQUFBQkhQOHpUR0E9Cgo=
changenumber: 1

dn: changeNumber=2,cn=changelog
objectClass: changeLogEntry
objectClass: top
targetDN: dc=example,dc=com
changeType: modify
changes:: cmVwbGFjZTogZHMtc3luYy1zdGF0ZQpkcy1zeW5jLXN0YXRlOiAwMDAwMDExQ0ZGMzM0Q
zYwNDA5MzAwMDAwMDAyCgo=
changenumber: 2

Viewing the LDAP change sequence numbers

About this task

The changelog displays the server state information, which is important for failover between servers during synchronization operations. The server state information is exchanged between the servers in the network (LDAP servers and replication servers) as part of the protocol start message. It also helps the client application determine which server is most up-to-date.

Steps

  • Make sure the uid=admin account has the necessary access rights to the cn=changelog backend.

    Example:

    $ bin/ldapsearch --hostname ds.example.com --port 636 --useSSL
--bindDN "uid=admin,dc=example,dc=com" --bindPasswordFile admin-password.txt
--baseDN cn=changelog --dontWrap "(objectclass=*)" "+"

    Result:

    dn: cn=changelog

dn: changeNumber=1,cn=changelog
entry-size-bytes: 182
targetUniqueId: 68147342-1f61-3465-8489-3de58c532130
changeTime: 20111023002624Z
lastReplicaCSN: 0000011D27184D9E303000000001
replicationCSN: 0000011D27184D9E303000000001
replicaIdentifier: 12336

dn: changeNumber=2,cn=changelog
entry-size-bytes: 263
targetUniqueId: 4e9b7847-edcb-3791-b11b-7505f4a55af4
changeTime: 20111023002624Z
lastReplicaCSN: 0000011D27184F2E303000000002
replicationCSN: 0000011D27184F2E303000000002
replicaIdentifier: 12336

Viewing LDAP changelog monitoring information

About this task

The changelog contains a monitor entry accessed over LDAP, JConsole, the administrative console, or SNMP. Make sure the account you’re using to request the monitor information has the necessary access rights to the data under cn=monitor. You might need to add a global ACI to grant the appropriate users permission to access monitor data.

Steps

  • Use ldapsearch to view the changelog monitor entry.

    Example:

    $ bin/ldapsearch --hostname ds.example.com --port 636 --useSSL
--bindDN "uid=admin,dc=example,dc=com" --bindPasswordFile admin-password.txt
--baseDN cn=changelog,cn=monitor "(objectclass=*)"

    Result:

    dn: cn=changelog,cn=monitor
objectClass: top
objectClass: ds-monitor-entry
objectClass: extensibleObject
cn: changelog
changelog: cn=changelog
firstchangenumber: 1
lastchangenumber: 8
lastpurgedchangenumber: 0
firstReplicaChange: 16225:0000011D0205237F3F6100000001:5
firstReplicaChange: 16531:0000011CFF334C60409300000002:1
lastReplicaChange: 16225:0000011D02054E8B3F6100000002:7
lastReplicaChange: 16531:0000011CFF334C60409300000002:1
oldest-change-time: 20081015063104Z
...(more data)...