Only admin users with the bypass-acl privilege can read the changelog.

  1. To allow LDAP clients to undergo access control filtering using standard LDAP searches of the cn=changelog backend, enable the apply-access-control-to-changelog-entry-contents property.

    Access control filtering is applied regardless of the value of the apply-access-controls-to-changelog-entry-contents setting when the changelog backend is servicing requests from a PingDirectory server that has the filter-changes-by-user Sync Pipe property set.

    $ bin/dsconfig set-backend-prop --backend-name "changelog" \
      --set "apply-access-controls-to-changelog-entry-contents:true"
  2. To include a count of users that have been removed through access control filtering, set the report-excluded-changelog-attributes property.

    The count appears in the ds-changelog-num-excluded-user-attributes attribute for users and in the ds-changelog-num-excluded-operational-attributes attribute for operational attributes.

     $ bin/dsconfig set-backend-prop --backend-name "changelog" \
      --set "report-excluded-changelog-attributes:attribute-counts"