Change log entries
- One root (suffix) entry, named
cn=changelog
. - One or more leaf entries, named
changenumber=
nnn,cn=changelog
.
- root entry
- The change log root entry is generated by the LDAP server, when change logging is first enabled.
The root entry cannot be created, renamed, or deleted by the user. The generated root entry contains
a propagated ACL that allows an LDAP root or directory data administrator update access to the
change log. All other administrators have read access to the change log. An appropriately authorized
user can modify the root entry to change the ACL. Operations on the change log root are not
replicated and do not result in the creation of a change log entry.The generated root entry is:
dn: cn=changelog objectclass: container cn: changelog aclentry: group:cn=Anybody aclPropagate: TRUE entryowner: access-id:adminDN ownerProgagate: TRUE
The change log root entry should be modified using the modify operation to set access control for the change log. Only the aclEntry and entryOwner attributes can be modified. When GDBM is configured to be file-based, the aclEntry and entryOwner attributes can be entirely deleted, in which case the default ACL is used. See Default ACLs with LDBM or TDBM for more information. When GDBM is configured to be Db2®-based, these attributes cannot be entirely deleted. The root entry ACL is always propagated to provide access control to the change log entries because change log entries are not created with their own ACL. The change log root entry can be modified if change logging is enabled (the GDBM backend is configured), even if change logging is not on.
- leaf entry
- Each change log entry is created as a leaf entry directly under
the change log root entry, using the changeLogEntry and ibm-changelog objectclasses
and attributes as described above.
- Change log entries are only created by the LDAP server. The user cannot directly add a change log entry. Also, the user cannot modify or rename a change log entry. Change log entries inherit the ACL of the change log root entry.
- Change log entries are deleted by the LDAP server when the change log is trimmed because of reaching a limit specified by the changeLogMaxEntries and changeLogMaxAge options in the configuration file. Change log entries can also be deleted by the user through a normal delete operation.
- User operations (search, compare, delete) on change log entries are allowed if change logging is enabled (the GDBM backend is configured), even if change logging is off. Add and trim operations by the LDAP server are not performed when change logging is off.
- If the GDBM backend is in read-only mode, delete and modify operations are not allowed. Add and trim operations by the LDAP server are not performed.
- Operations on change log entries are not replicated and do not result in the creation of change log entries.
dn: CHANGENUMBER=1815,CN=CHANGELOG
objectclass: CHANGELOGENTRY
objectclass: IBM-CHANGELOG
objectclass: TOP
changenumber: 1815
targetdn: RACFID=KEN,PROFILETYPE=USER,CN=MYRACF
changetime: 20030611161820.374472Z
changetype: MODIFY
changes: replace: racfPassPhrase
racfPassPhrase: *ComeAndGetIt*
-
ibm-changeinitiatorsname: RACFID=SUADMIN,PROFILETYPE=USER,CN=MYRACF