DSEE: Add attributes to changelog entry upon deletes.


Sun’s Directory Server 5.x has a facility called the Retro Change Log that was intended to maintain compatibility with the 4.x versions of the directory server. Servers of the 4.x vintage are sometimes known as the Netscape Directory Server, and of course the Sun Directory Server has gone by many names. The Retro Change Log provides a list (or log if you prefer) of changes that have occurred in the Directory Server database. In lieu of a trigger mechanism for LDAP, the Retro Change Log can be used to trigger applications to take action based on changes in the Sun Directory Server database.

By default, the Retro Change Log has information about changes that occur in the Directory Server database, such as the DN that was changed and what attributes were changed, and what values were changed. The Retro Change Log also logs adds and deletes. For auditing and synchronization purposes, it is important to know which DN requested a delete, but this information is not published by default in the Retro Change Log. To cause the directory server to log the modifiersName in delete entries of the Retro Change Log, the Retro Change Log plugin configuration must be changed to publish the modifiersName in the list of attributes for deleted entries. The name of the configuration keyword is deletedEntryAttributes, and it must configured in one of the nsslapd-pluginargX entries. For example,

nsslapd-pluginarg0: deletedEntryAttributes=objectclass,cn,modifiersname

would cause the objectClass, cn, and modifiersName to be published in the changelog for a deleted entry.

Often, the values of deletedEntryAttrs is base-64 encoded, for example:

The changelog entry:

dn: changenumber=1203982,cn=changelog
objectClass: top
objectClass: changelogentry
targetDn: cn=test,dc=example,dc=com
changeTime: 20110512153432Z
changeType: delete
deletedEntryAttrs:: ZGVsZXRlOiBvYmplY3RjbGFzcwpvYmplY3RjbGFzczogdG9wCm9iamVjd
 GNsYXNzOiBwZXJzb24KLQpkZWxldGU6IGNuCmNuOiB0ZXN0Ci0KZGVsZXRlOiBtb2RpZmllcnNuY
 W1lCm1vZGlmaWVyc25hbWU6IGNuPWRpcmVjdG9yeSBtYW5hZ2VyCi0KAA==
changeNumber: 1203982

decode:

$ base64 decode  -d ZGVsZXRlOiBvYmplY3RjbGFzcwpvYmplY3RjbGFz\
czogdG9wCm9iamVjdGNsYXNzOiBwZXJzb24KLQpkZWxld\
GU6IGNuCmNuOiB0ZXN0Ci0KZGVsZXRlOiBtb2RpZmllcn\
NuYW1lCm1vZGlmaWVyc25hbWU6IGNuPWRpcmVjdG9yeSBtYW5hZ2VyCi0KAA==
delete: objectclass
objectclass: top
objectclass: person
-
delete: cn
cn: test
-
delete: modifiersname
modifiersname: cn=directory manager

The base64 utility is provided in the UnboundID Directory Server distribution.

About Terry Gardner

Terry Gardner was a leading directory services architect with experience with many large scale directory services installations and messaging server installations, and was a Subject Matter Expert in the field of Directory Services and Solaris (operating system) performance. Mr. Gardner also participated in the open-source software community. Mr. Gardner passed away in December, 2013.
This entry was posted in computing, LDAP and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s