Key changelog features - PingDirectory

Key changelog features - PingDirectory - 9.0

PingDirectory

bundle

pingdirectory-90

ft:publication_title

PingDirectory

Product_Version_ce

PingDirectory 9.0

category

Product

pd-90

pingdirectory

ContentType_ce

As of 3.2, the Directory Server supports two new changelog backend properties that allow access control filtering and sensitive attribute evaluation for targeted entries.

External client applications can change the contents of attributes seen in the targeted entry based on the access control rules applied to the associated base DN.

Attribute Description

Attribute	Description
`apply-access-controls-to-changelog-entry-contents`	Indicates whether the contents of changelog entry attributes, such as `changes`, `deletedEntryAttrs`, `ds-changelog-entry-key-attr-values`, `ds-changelog-before-values`, and `ds-changelog-after-values`, are subject to access control and sensitive attribute evaluation to limit data that LDAP clients can see. The client must have the access control permissions to read changelog entries to retrieve them in any form. If this feature is enabled and the client does not have permission to read an entry at all, or if that client does not have permission to see any attributes that were targeted by the change, then the associated changelog entries targeted by those operations are suppressed. If a client does not have permission to see certain attributes within the target entry, then references to those attributes in the changelog entry are also suppressed. This property only applies to standard LDAP searches of the cn=changelog branch.
`report-excluded-changelog-attributes`	Indicates whether to include additional information about any attributes that might have been removed due to access control filtering. This property only applies to content removed as a result of processing performed by the `apply-access-controls-to-changelog-entry-contents` property. Possible values are: none Indicates that changelog entries should not include any information about attributes that have been removed. `attribute-counts` Indicates that changelog entries should include a count of user and operational attributes that have been removed. If any user attribute information was excluded from a changelog entry, the number of the excluded user attributes are reported in the `ds-changelog-num-excluded-user-attributes` attribute of the changelog entry. If any operational attribute information was excluded from a changelog entry, then the number of the excluded operational attributes are reported in the `ds-changelog-num-excluded-operational-attributes` attribute of the changelog entry. Both the `ds-changelog-num-excluded-user-attributes` and `ds-changelog-num-excluded-operational-attributes` are operational and must be explicitly requested by clients or all operational attributes requested using `+` to be returned. `attribute-names` Indicates that changelog entries should include the names of user and operational attributes that have been removed. If any user attribute information was excluded from a changelog entry, then the names of the excluded user attributes are reported in the `ds-changelog-excluded-user-attributes` attribute of the changelog entry. If any operational attribute information was excluded from a changelog entry, then the names of the excluded operational attributes are reported in the `ds-change-log-excluded-operational-attribute` attribute of the changelog entry. Both the `ds- changelog-excluded-user-attribute` and `ds-changelog-excluded-operational-attribute` attributes are operational and must be explicitly requested by clients or all operational attributes requested using `+` to be returned.

apply-access-controls-to-changelog-entry-contents

Indicates whether the contents of changelog entry attributes, such as changes, deletedEntryAttrs, ds-changelog-entry-key-attr-values, ds-changelog-before-values, and ds-changelog-after-values, are subject to access control and sensitive attribute evaluation to limit data that LDAP clients can see. The client must have the access control permissions to read changelog entries to retrieve them in any form. If this feature is enabled and the client does not have permission to read an entry at all, or if that client does not have permission to see any attributes that were targeted by the change, then the associated changelog entries targeted by those operations are suppressed. If a client does not have permission to see certain attributes within the target entry, then references to those attributes in the changelog entry are also suppressed. This property only applies to standard LDAP searches of the cn=changelog branch.

report-excluded-changelog-attributes

Indicates whether to include additional information about any attributes that might have been removed due to access control filtering. This property only applies to content removed as a result of processing performed by the apply-access-controls-to-changelog-entry-contents property. Possible values are:

none: Indicates that changelog entries should not include any information about attributes that have been removed.
attribute-counts: Indicates that changelog entries should include a count of user and operational attributes that have been removed. If any user attribute information was excluded from a changelog entry, the number of the excluded user attributes are reported in the ds-changelog-num-excluded-user-attributes attribute of the changelog entry. If any operational attribute information was excluded from a changelog entry, then the number of the excluded operational attributes are reported in the ds-changelog-num-excluded-operational-attributes attribute of the changelog entry. Both the ds-changelog-num-excluded-user-attributes and ds-changelog-num-excluded-operational-attributes are operational and must be explicitly requested by clients or all operational attributes requested using + to be returned.
attribute-names: Indicates that changelog entries should include the names of user and operational attributes that have been removed. If any user attribute information was excluded from a changelog entry, then the names of the excluded user attributes are reported in the ds-changelog-excluded-user-attributes attribute of the changelog entry. If any operational attribute information was excluded from a changelog entry, then the names of the excluded operational attributes are reported in the ds-change-log-excluded-operational-attribute attribute of the changelog entry. Both the ds- changelog-excluded-user-attribute and ds-changelog-excluded-operational-attribute attributes are operational and must be explicitly requested by clients or all operational attributes requested using + to be returned.