The PingDirectory Server and the Nokia 8661 Directory Server require the following
advanced global change log properties:
changelog-max-before-after-values
and
changelog-include-key-attribute
.
These properties are enabled and configured during the
create-sync-pipe-config
configuration process on PingDirectory Server. The properties can also be enabled on the directory servers
by using the dsconfig
advanced properties setting on the Backend
Changelog menu.
changelog-include-key-attribute
The changelog-include-key-attribute
property specifies one or more
attributes that should always be included in the change log entry. These are
attributes needed to correlate entries between the source and destination, such as
uid
, employeeNumber
, or mail
.
These properties are also needed for evaluating any filters in the Sync Class. For
example, if notifications are only sent for user entries, and the Sync Class
included the filter (objectclass=people)
, the
objectclass
attribute must be configured as a
changelog-include-key-attribute
so that the Sync Pipe can
evaluate the inclusion criteria when processing the change. In standard mode, values
needed in the filter are read from the entry itself after it is fetched instead of
from the changelog entry. These attributes are always included in a change log
entry, also called a change record, regardless if they have changed or not.
The changelog-include-key-attribute
property causes the current
(after-change) value of the specified attributes to be recorded in the
ds-changelog-entry-key-attr-values
attribute on the change log
entry. This applies for all change types. During a delete operation, the values are
from the entry before it was deleted. The key values are recorded on every change
and override any settings configured in the
changelog-include-attribute
,
changelog-exclude-attribute
,
changelog-deleted-entry-include-attribute
, or
changelog-deleted-entry- exclude-attribute
properties in the
directory server changelog (see the Ping Identity PingDirectoryServer Configuration
Reference for more information).
Normal LDAP to LDAP synchronization topologies typically use dn
as a
correlation attribute. If dn
is used as a correlation attribute
only, the changelog-include-key-attribute
property does not need to
be set. However, if another attribute is used for correlation, this property must be
set during the Sync Pipe configuration.
The LDAP change log attribute, ds-changelog-entry-key-attr-values
,
stores the attribute that is always included in a change log entry on every change
for correlation purposes. In addition to regular attributes, virtual and operational
attributes can be specified as entry keys.
To view an example, see the Ping Identity PingDirectory Server Administration Guide.
changelog-max-before-after-values
The changelog-max-before-after-values
property specifies the maximum
number of "before and after" values (default 200) that should be stored for any
changed attribute in the change log. Also, when enabled, it will add the
ds-changelog-before-values
and
ds-changelog-after-values
attributes to any change record that
contains changes (for Modify and ModifyDN).
The main purpose of the changelog-max-before-after-values
property
is to ensure that an excessively large number of changes is not stored for
multi-valued attributes. In most cases, the directory server’s schema defines a
multi-valued attribute to be unlimited in an entry. For example, if a group entry
whose member attribute references 10000 entries, the desire may be to not have all
of the attributes if a new member added.
If either the ds-changelog-before-values
or the
ds-changelog-after-values
attributes exceed the count set in
the changelog-max-before-after-values
property, the attribute
values are no longer stored in a change record but its attribute name and number is
stored in the ds-changelog-attr-exceeded-max-values-count
attribute, which appears in the change record.
In addition to this property, set the use-reversible-form
property
to TRUE
. This guarantees that sufficient information is stored in
the change log for all operation types to be able to replay the operations at the
destination. The create-sync-pipe-config
tool configures these
properties when it prepares the servers.
The changelog-max-before-after-values
property configures the
following change log attributes:
-
ds-changelog-before-values
– Captures all "before" values of a changed attribute. It will store up to the specified value in thechangelog-max-before-after-values
property (default 200). -
ds-changelog-after-values
– Captures all "after" values of a changed attribute. It will store up to the specified value in thechangelog-max-before-after-values
property (default 200). -
ds-changelog-attr-exceeded-max-values-count
– Stores the attribute names and number of before and after values on the change log entry after the maximum number of values (set by thechangelog-max-before-after-values
property) has been exceeded. This is a multi-valued attribute with the following format:attr=attributeName,beforeCount=200,afterCount=201
where
attributeName
is the name of the attribute and thebeforeCount
andafterCount
are the total number of values for that attribute before and after the change, respectively. In either case (before or after the change), if the number of values is exceeding the maximum, those values will not be stored.