Initializing ACLs with GDBM
cn=changelog
. The cn=changelog
suffix
entry is created with an entryOwner
value set to the root administrator DN
(adminDN
configuration option) while the aclEntry
attribute value
is set such that non-LDAP administrators do not have access to the changelog entries. The
aclEntry
and entryOwner
values are propagated in the GDBM backend.
The ACL for the GDBM backend is: aclEntry: group=cn=Anybody
Only the aclEntry
and entryOwner
attributes can be modified.
LDAP administrators with the appropriate authority can also access the changelog entries. See Administrative group and roles for more information about administrative role authority.
When GDBM is configured to be file-based, the aclEntry
and
entryOwner
attributes can be entirely deleted, in which case the default ACL is
used. See Default ACLs with LDBM or TDBM for more information. When GDBM is configured to be Db2®-based, these attributes cannot be entirely deleted. The root
entry ACL is always propagated to provide access control to the change log entries because change
log entries are not created with their own ACL. The change log root entry can be modified if change
logging is enabled (the GDBM backend is configured), even if change logging is not on. Change log
entries cannot be modified to override the inherited ACL values from the change log suffix
entry.