Enabling access control filtering in the LDAP changelog - PingDirectory

Page created: 15 Jul 2022 |

Page updated: 20 Jan 2023

| 1 min read

9.2 Product PingDirectory Directory Capability Product documentation Content Type Administration User task Configuration IT Administrator Administrator Audience Software Deployment Method LDAP Standards, specifications, and protocols

Use the dsconfig tool to enable the properties to the changelog backend to set up access control to the LDAP changelog.

Only admin users with the bypass-acl privilege can read the changelog.

To allow LDAP clients to undergo access control filtering using standard LDAP searches of the cn=changelog backend, enable the apply-access-control-to-changelog-entry-contents property.

Access control filtering is applied regardless of the value of the apply-access-controls-to-changelog-entry-contents setting when the changelog backend is servicing requests from a PingDirectory server that has the filter-changes-by-user Sync Pipe property set.
```
$ bin/dsconfig set-backend-prop --backend-name "changelog" \
  --set "apply-access-controls-to-changelog-entry-contents:true"
```
To include a count of users that have been removed through access control filtering, set the report-excluded-changelog-attributes property.

The count appears in the ds-changelog-num-excluded-user-attributes attribute for users and in the ds-changelog-num-excluded-operational-attributes attribute for operational attributes.
```
 $ bin/dsconfig set-backend-prop --backend-name "changelog" \
  --set "report-excluded-changelog-attributes:attribute-counts"
```