Initializing ACLs with GDBM

When the LDAP server is started with GDBM configured for the first time, the LDAP server creates the change log suffix entry, cn=changelog. The cn=changelog suffix entry is created with an entryOwner value set to the root administrator DN (adminDN configuration option) while the aclEntry attribute value is set such that non-LDAP administrators do not have access to the changelog entries. The aclEntry and entryOwner values are propagated in the GDBM backend. The ACL for the GDBM backend is:

aclEntry: group=cn=Anybody

Only the aclEntry and entryOwner attributes can be modified. LDAP administrators with the appropriate authority can also access the changelog entries. See Administrative group and roles for more information about administrative role authority.

When GDBM is configured to be file-based, the aclEntry and entryOwner attributes can be entirely deleted, in which case the default ACL is used. See Default ACLs with LDBM or TDBM for more information. When GDBM is configured to be Db2®-based, these attributes cannot be entirely deleted. The root entry ACL is always propagated to provide access control to the change log entries because change log entries are not created with their own ACL. The change log root entry can be modified if change logging is enabled (the GDBM backend is configured), even if change logging is not on. Change log entries cannot be modified to override the inherited ACL values from the change log suffix entry.