To set up access control to the LDAP Changelog, use the dsconfig tool to enable the properties to the Changelog Backend. Only admin users with the bypass-acl privilege can read the changelog.

  1. Enable the apply-access-control-to-changelog-entry-contents property to allow LDAP clients to undergo access control filtering using standard LDAP searches of the cn=changelog backend.
    $ bin/dsconfig set-backend-prop --backend-name "changelog" \
      --set "apply-access-controls-to-changelog-entry-contents:true"

    Access control filtering will be applied regardless of the value of the apply-access-controls-to-changelog-entry-contents setting when the Changelog Backend is servicing requests from an PingDataSync Server that has the filter-changes-by-user Sync Pipe property set.

  2. Optional. Set the report-excluded-changelog-attributes property to include a count of users that have been removed through access control filtering. The count appears in the ds-changelog-num-excluded-user-attributes attribute for users and the ds-changelog-num-excluded-operational-attributes attribute for operational attributes.
     $ bin/dsconfig set-backend-prop --backend-name "changelog" \
      --set "report-excluded-changelog-attributes:attribute-counts"