Tracking access and changes to the LDAP directory

Use this information to track access and changes to your LDAP directory.

You can use the LDAP directories change log to keep track of changes to the directory. The change log is located under the special suffix cn=changelog. It is stored in the QUSRDIRCL library.

To enable the change log, follow these steps:

In IBM Navigator for i, expand Network > Servers > TCP/IP Servers.
Right-click IBM Tivoli Directory Server for IBM i and select Properties.
Click the Change Log tab.
Select Log directory changes.
Optional: In the Maximum entries field specify the maximum number of entries for the change log to keep.
In the Maximum age field specify how long change log entries are retained.
Note: Though these parameters are optional, you should strongly consider specifying either a maximum number of entries or maximum age. If you do not specify either, the change log will keep all entries and might become too large.

The changeLogEntry object class is used to represent the changes applied to the directory server. The set of changes is given by the ordered set of all entries within the change log container as defined by changeNumber. The change log information is read-only.

Any user who is on the access control list for the cn=changelog suffix can search the entries in the change log. You should only execute searches on the change log suffix, cn=changelog. Do not attempt to add, change, or delete the change log suffix, even if you have authority to do so. This will cause unpredictable results.

The following example uses the ldapsearch command line utility to retrieve all change log entries logged on the server:

ldapsearch -h ldaphost -D cn=admininistrator -w password -b cn=changelog  (changetype=*)