Change logging

The change log is a set of entries in the directory that contain information about changes to objects. Depending on configuration options, information about a change to a TDBM, LDBM, or CDBM entry, to the LDAP server schema entry (cn=schema), or to an object controlled by an application (for example, a RACF® user, group, user-group connection, or general resource profile) can be saved in a change log entry. An LDAP search operation can be used to retrieve change log entries to obtain information about what changes have taken place.

Each LDAP server contains one change log. The change log entries are created in the same order as the changes are made and each change log entry is identified by a change number value, beginning with 1, that is incremented each time a change number is assigned to a change log entry. Therefore, the change number of a new change log entry is always greater than all the change numbers in the existing change log entries.

The change log is implemented in the GDBM backend. The change log uses a hard-coded suffix, cn=changelog. This suffix is a semi-reserved name when the GDBM backend is configured. The change log root (cn=changelog) must not overlap any suffix in any TDBM, SDBM, or LDBM backend and the change log suffix cannot be the source or target of a rename operation. If GDBM is not configured, the user can use cn=changelog as a 'normal' suffix in a TDBM, SDBM, or LDBM backend, however, this is not suggested because that suffix has to be renamed to avoid an overlap if GDBM is configured in the future.

Change logging is enabled by configuring GDBM in the LDAP server configuration file. Change log processing is controlled by configuration options in the GDBM backend. The changeLogging configuration option turns change logging on or off. The changeLogMaxEntries and changeLogMaxAge configuration options determine when removal of old change log entries takes place. See Customizing the LDAP server configuration for more information. If the changeLogMaxEntries and changeLogMaxAge configuration options are not specified or are both set to 0, there are no limits on the size of the change log. With this configuration, the change log must be periodically manually pruned by an LDAP root or directory data administrator to prevent it from exhausting all available space in the z/OS® UNIX System Services directory or in Db2®.

The changeLoggingParticipant configuration option can be used to specify if an LDBM, TDBM, or CDBM backend wants change log entries to be created for changes to entries in its backend. Similarly, the configuration option can be specified in the GDBM backend to determine if a change log entry should be created for a change to the LDAP server schema. If the option is not specified for a TDBM, LDBM, CDBM or GDBM backend, the default is to create change log entries for changes to that TDBM, LDBM, or CDBM backend or to the LDAP server schema.

If the GDBM backend is configured and the cn=changelog root entry does not exist in the GDBM backend when the server is started, the LDAP server generates the root entry. The root entry is created with a propagated ACL that allows an LDAP root or directory data administrator update access to the change log. All other administrators have read access to the change log. The ACL is propagated to the change log entries. The user needs to use an LDAP modify operation to change this ACL to an appropriate ACL for his usage of the change log. The aclEntry and entryOwner attributes are the only attributes that can be modified. The aclPropagate and ownerPropagate attributes will always be TRUE.

Modifications to the change log are not logged. This means that no change sequence number will be returned for a persistent search request issued for the change log (cn=changelog).