1. By default, only users with the bypass-acl or bypass-read-acl privilege can access changelog entries. To grant control permission to allow other users to see changelog entries, use a global ACI like the following: 
    $ bin/dsconfig set-access-control-handler-prop 
--add 'global-aci:(targetattr="*||+")(target="ldap:///cn=changelog")(version 3.0; 
acl "Access to the changelog backend for the admin account"; 
allow (read,search,compare) userdn="ldap:///uid=admin,dc=example,dc=com";)'
  2. Use ldapsearch to view the changelog. 
    $ bin/ldapsearch --hostname ds.example.com --port 636 --useSSL 
--bindDN "uid=admin,dc=example,dc=com" --bindPasswordFile admin-password.txt 
--baseDN cn=changelog --dontWrap "(objectclass=*)"
    dn: cn=changelog 
objectClass: top 
objectClass: untypedObject 
cn: changelog

dn: changeNumber=1,cn=changelog 
objectClass: changeLogEntry 
objectClass: top 
targetDN: uid=user.0,ou=People,dc=example,dc=com 
changeType: modify
changes:: cmVwbGFjZTogbW9iaWxlCm1vYmlsZTogKzEgMDIwIDE1NCA5Mzk4Ci0KcmVwbGFjZToga
G9tZVBob25lCmhvbWVQaG9uZTogKzEgMjI1IDIxNiA0OTQ5Ci0KcmVwbGFjZTogZ2l2ZW5OYW1lCmdp
dmVuTmFtZTogQWFyb24KLQpyZXBsYWNlOiBkZXNjcmlwdGlvbgpkZXNjcmlwdGlvbjogdGhpcyBpcyB
0aGUgZGVzY3JpcHRpb24gZm9yIEFhcm9uIEF0cC4KLQpyZXBsYWNlOiBtb2RpZmllcnNOYW1lCm1vZG
lmaWVyc05hbWU6IGNuPURpcmVjdG9yeSBNYW5hZ2VyLGNuPVJvb3QgRE5zLGNuPWNvbmZpZwotCnJlc
GxhY2U6IGRzLXVwZGF0ZS10aW1lCmRzLXVwZGF0ZS10aW1lOjogQUFBQkhQOHpUR0E9Cgo= 
changenumber: 1

dn: changeNumber=2,cn=changelog 
objectClass: changeLogEntry
objectClass: top 
targetDN: dc=example,dc=com 
changeType: modify 
changes:: cmVwbGFjZTogZHMtc3luYy1zdGF0ZQpkcy1zeW5jLXN0YXRlOiAwMDAwMDExQ0ZGMzM0Q
zYwNDA5MzAwMDAwMDAyCgo= 
changenumber: 2