Change log entries

The change log consists of:
  • One root (suffix) entry, named cn=changelog.
  • One or more leaf entries, named changenumber=nnn,cn=changelog.
root entry
The change log root entry is generated by the LDAP server, when change logging is first enabled. The root entry cannot be created, renamed, or deleted by the user. The generated root entry contains a propagated ACL that allows an LDAP root or directory data administrator update access to the change log. All other administrators have read access to the change log. An appropriately authorized user can modify the root entry to change the ACL. Operations on the change log root are not replicated and do not result in the creation of a change log entry.
The generated root entry is:
dn: cn=changelog
objectclass: container
cn: changelog
aclentry: group:cn=Anybody
aclPropagate: TRUE
entryowner: access-id:adminDN
ownerProgagate: TRUE

The change log root entry should be modified using the modify operation to set access control for the change log. Only the aclEntry and entryOwner attributes can be modified. When GDBM is configured to be file-based, the aclEntry and entryOwner attributes can be entirely deleted, in which case the default ACL is used. See Default ACLs with LDBM or TDBM for more information. When GDBM is configured to be Db2®-based, these attributes cannot be entirely deleted. The root entry ACL is always propagated to provide access control to the change log entries because change log entries are not created with their own ACL. The change log root entry can be modified if change logging is enabled (the GDBM backend is configured), even if change logging is not on.

leaf entry
Each change log entry is created as a leaf entry directly under the change log root entry, using the changeLogEntry and ibm-changelog objectclasses and attributes as described above.
  • Change log entries are only created by the LDAP server. The user cannot directly add a change log entry. Also, the user cannot modify or rename a change log entry. Change log entries inherit the ACL of the change log root entry.
  • Change log entries are deleted by the LDAP server when the change log is trimmed because of reaching a limit specified by the changeLogMaxEntries and changeLogMaxAge options in the configuration file. Change log entries can also be deleted by the user through a normal delete operation.
  • User operations (search, compare, delete) on change log entries are allowed if change logging is enabled (the GDBM backend is configured), even if change logging is off. Add and trim operations by the LDAP server are not performed when change logging is off.
  • If the GDBM backend is in read-only mode, delete and modify operations are not allowed. Add and trim operations by the LDAP server are not performed.
  • Operations on change log entries are not replicated and do not result in the creation of change log entries.
The following is an example of a change log entry created by RACF®:
dn: CHANGENUMBER=1815,CN=CHANGELOG
objectclass: CHANGELOGENTRY
objectclass: IBM-CHANGELOG
objectclass: TOP
changenumber: 1815
targetdn: RACFID=KEN,PROFILETYPE=USER,CN=MYRACF
changetime: 20030611161820.374472Z
changetype: MODIFY
changes: replace: racfPassPhrase
racfPassPhrase: *ComeAndGetIt*
-

ibm-changeinitiatorsname: RACFID=SUADMIN,PROFILETYPE=USER,CN=MYRACF