As of version 3.2, the Directory Server supports two new Changelog Backend properties that allow access control filtering and sensitive attribute evaluation for targeted entries. External client applications can change the contents of attributes they can see in the targeted entry based on the access control rules applied to the associated base DN.
  • apply-access-controls-to-changelog-entry-contents. Indicates whether the contents of changelog entry attributes (i.e., changes, deletedEntryAttrs, ds-changelog-entry-key-attr-values, ds-changelog-before-values, and ds-changelog-after-values) are subject to access control and/or sensitive attribute evaluation to limit data that LDAP clients can see. The client must have the access control permissions to read changelog entries to retrieve them in any form. If this feature is enabled and the client does not have permission to read an entry at all, or if that client does not have permission to see any attributes that were targeted by the change, then the associated changelog entries targeted by those operations will be suppressed. If a client does not have permission to see certain attributes within the target entry, then references to those attributes in the changelog entry will also be suppressed. This property only applies to standard LDAP searches of the cn=changelog branch.

  • report-excluded-changelog-attributes. Indicates whether to include additional information about any attributes that may have been removed due to access control filtering. This property only applies to content removed as a result of processing performed by the apply-access-controls-to-changelog-entry-contents property. Possible values are:
    • none - Indicates that changelog entries should not include any information about attributes that have been removed.

    • attribute-counts - Indicates that changelog entries should include a count of user and/ or operational attributes that have been removed. If any user attribute information was excluded from a changelog entry, the number of the excluded user attributes will be reported in the ds-changelog-num-excluded-user-attributes attribute of the changelog entry. If any operational attribute information was excluded from a changelog entry, then the number of the excluded operational attributes will be reported in the ds-changelog-num-excluded-operational-attributes attribute of the changelog entry. Both the ds-changelog-num-excluded-user-attributes and ds-changelog-num-excluded-operational-attributes are operational and must be explicitly requested by clients (or all operational attributes requested using "+") to be returned.

    • attribute-names - Indicates that changelog entries should include the names of user and/or operational attributes that have been removed. If any user attribute information was excluded from a changelog entry, then the names of the excluded user attributes will be reported in the ds-changelog-excluded-user-attributes attribute of the changelog entry. If any operational attribute information was excluded from a changelog entry, then the names of the excluded operational attributes will be reported in the ds-change-log-excluded-operational-attribute attribute of the changelog entry. Both the ds- changelog-excluded-user-attribute and ds-changelog-excluded-operational-attribute attributes are operational and must be explicitly requested by clients (or all operational attributes requested via "+") to be returned.