The encrypted password is recorded in the Retro-Changelog database. The Retro-Changelog plug-in can be configured to remove entries from the Retro-Changelog database periodically. The correct setting of the database trimming depends on the target environment. Too frequent trimming may not allow room for small network outages, or other service disruptions and the LDAP resource adapter may miss certain changes. On the other hand, allowing the database to grow too large may increase the security risk associated with having encrypted passwords in the database.
Note that the plug-in does not pick up hashed passwords.
Access to the contents of the Retro Changelog Database suffix (cn=changelog) should be limited. Therefore, allow read access to the LDAP resource adapter only.