Enabling access control filtering in the LDAP changelog - PingDirectory - 9.0

PingDirectory

bundle: pingdirectory-90
ft:publication_title: PingDirectory
Product_Version_ce: PingDirectory 9.0
category: Product; pd-90; pingdirectory
ContentType_ce

Use the dsconfig tool to enable the properties to the changelog backend to set up access control to the LDAP changelog.

Only admin users with the bypass-acl privilege can read the changelog.

To allow LDAP clients to undergo access control filtering using standard LDAP searches of the cn=changelog backend, enable the apply-access-control-to-changelog-entry-contents property.

Access control filtering is applied regardless of the value of the apply-access-controls-to-changelog-entry-contents setting when the changelog backend is servicing requests from an PingDataSync Server that has the filter-changes-by-user Sync Pipe property set.
```
$ bin/dsconfig set-backend-prop --backend-name "changelog" \
  --set "apply-access-controls-to-changelog-entry-contents:true"
```
To include a count of users that have been removed through access control filtering, set the report-excluded-changelog-attributes property.

The count appears in the ds-changelog-num-excluded-user-attributes attribute for users and in the ds-changelog-num-excluded-operational-attributes attribute for operational attributes.
```
 $ bin/dsconfig set-backend-prop --backend-name "changelog" \
  --set "report-excluded-changelog-attributes:attribute-counts"
```