changeLogAddEntry

  • Name: changeLogAddEntry
  • Description: Causes the LDAP server to create a change log entry in the change log by using information passed to the extended operation. All input values must be in UTF8.
  • Assigned object identifier: 1.3.18.0.2.12.48
  • Values: The following ASN.1 syntax describes the BER encoding of the request value.
    RequestValue ::= SEQUENCE {
     version                       INTEGER,
    	applicationID                 INTEGER,
    	userid                        OCTET STRING,
    	group                         OCTET STRING,
     class                         OCTET STRING,
     resource                      OCTET STRING,
    	changeType                    INTEGER {
    				add (0),
    				delete (1),
    				modify (2),
    				rename (3) },
    	changeTime                    OCTET STRING,
    	initiator                     OCTET STRING,
    	changes	SEQUENCE OF  changeAttributeList OPTIONAL}

    Where,

    version - Identifies which version of the interface is being used. Currently the only value supported is 2. If the interface is extended in the future then other values are supported.

    applicationID - 1 for RACF®. Other applications have different identifiers. The identifier informs the LDAP server which (if any) translations of the data should be done.

    userid - A string containing the user ID that is created, modified, deleted, or renamed. This string is used to form the value of the targetDN attribute in the change log entry.

    group - For the RACF application, a string containing the group that is created, modified, deleted, or renamed. The RACF application can specify a value for both user ID and group to indicate that the change is to the connection of that user to that group. This string is used to form the value of the targetDN attribute in the change log entry.

    class - A string containing the class of the resource profile that is created, modified, deleted, or renamed. This string is used along with the resource string to form a resource profile DN as the value of the targetDN attribute in the change log entry.

    resource - A string containing the resource profile that is created, modified, deleted, or renamed. This string is used along with the class string to form a resource profile DN as the value of the targetDN attribute in the change log entry.

    changeType - An integer value indicating the type of change. This is used to form the value of the changeType attribute in the change log entry.

    changeTime - A string of decimal numbers, used to form the changeTime attribute in the change log entry. The format of the string is: yyyymmddhhiiss.uuuuuuZ

    Where,

    yyyy is year, mm is month, dd is day, hh is hour, ii is minutes, ss is seconds, uuuuuu is micro seconds, Z is a character constant meaning that this time is based on Coordinated Universal Time.

    initiator - A string containing the user ID that made the change. This string is used to form the value of the ibm-changeInitiatorsName attribute in the change log entry.
    changeAttributeList ::= SEQUENCE {
    	field		attributeDescription,
    	vals		  SEQUENCE OF AttributeValue,
    	action		ENUMERATED {
    						add (0),
    						replace (1),
    						delete (2) },
    	requestValue Boolean }

    Where,

    field - The name of the attribute that has been changed. For RACF, this consists of the segment name followed by a period followed by the field name. LDAP maps the RACF segment and field name to an LDAP attribute name.

    vals - A ber representation (length and data) of the new attribute value.

    action - Describes what has happened to the attribute (value add, replace, or delete). To indicate that an entire attribute is deleted, specify an action of delete with no value in the vals field.

    requestValue - A flag that, if TRUE, indicates that the attribute value in the vals field is not present and should be requested from the application.

    The changeAttributeList values are used to form the changes attribute in the change log entry. If changeAttributeList is not specified, a change log entry is created without a changes attribute. This acts as a notification to the user of the change log that it should read the entire entry out of the directory tree.

  • Detailed description: Class and resource cannot be specified with user ID or group. Both class and resource must be specified if either one is specified. In this case, SDBM must be configured to support RACF resources, by specifying enableResources on in the SDBM section of the LDAP server configuration file.
  • Response object identifier: 1.3.18.0.2.12.49
  • Response description: This response is used to return error information if an incorrect changeLogAddEntryRequest is passed to the LDAP server. If no errors are encountered, then an indication of success is returned to the caller. All output is in UTF8.
  • Response values: The following describes the response value.
    ResponseValue ::= SEQUENCE  {
    	changeLogresultCode ENUMERATED {
    			success                  (0),
    			loggingFailed            (1),
    			invalidCredentials       (2),
    			remoteNotSupported       (3),
    			notConfigured            (4),
    			notActive                (5),
    			decodeFailed             (6),
    			valueOutOfRange          (7),
    			dnConvertFailed          (8)
    		}
    		msg         OCTET STRING
    	}
  • Response detailed description:

    The following table summarizes some different error scenarios and the changeLogAddEntryRequest response returned for such scenarios.

    Error scenario changeLogAddEntryRequests response
    An internal error prevents the logging operation from completing Returns a loggingFailed return code
    The caller is not in supervisor state Returns an invalidCredentials return code
    Change log is not configured Returns a notConfigured return code
    Change log is not active Returns a notActive return code
    LDAP server is unable to parse the request Returns a decodeFailed return code
    Value is outside the range of allowable values Returns a valueOutOfRange return code
    LDAP server is unable to convert a RACF user ID to an LDAP DN Returns a dnConvertFailed return code