Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide

Using the Retro Change Log

The retro change log is used by LDAP clients to ascertain the history of changes made to the Directory Server data. The retro change log is stored in a separate database to the Directory Server change log, under the suffix cn=changelog.

A retro change log can be enabled on a standalone server or on each server in a replication topology. When the retro change log is enabled on a server, by default updates to all suffixes on that server are logged. The retro change log can be configured to log updates to specified suffixes only.

For information about using the retro change log in a replicated topology and about restrictions on using the retro change log, see Replication and the Retro Change Log Plug-In in Sun Java System Directory Server Enterprise Edition 6.2 Reference.

For information about the attributes of an entry in the retro change log, see the changeLogEntry(5dsoc) man page.

For more information about modifying the retro change log, see the dsconf(1M) man page.

This section explains various ways that you can use the retro change log.

ProcedureTo Enable the Retro Change Log

To use the retro change log, you must enable it.

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. Modify the retro change log configuration entry:


    $ dsconf set-server-prop -h host -p port retro-cl-enabled:on
  2. Restart the server.

    For information, see Starting, Stopping, and Restarting a Directory Server Instance.

ProcedureTo Configure the Retro Change Log to Record Updates for Specified Suffixes

When the retro change log is enabled on a server, by default it records updates to all suffixes on the server. This procedure describes how to configure the retro change log to record updates to specified suffixes only.

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. Modify the retro change log configuration entry:


    $ dsconf set-server-prop -h host -p port retro-cl-suffix-dn:suffix-DN
    

    For example, to log changes only on the cn=Contractors,dc=example,dc=com suffix and the ou=People,dc=example,dc=com suffix, use this command:


    $ dsconf set-server-prop -h host2 -p 1389 \
     retro-cl-suffix-dn:"cn=Contractors,dc=example,dc=com" \
     retro-cl-suffix-dn:"ou=People,dc=example,dc=com"

    To add a suffix to an existing list of specified suffixes, use this command:


    $ dsconf set-server-prop -h host -p port retro-cl-suffix-dn+:suffix-DN
    
  2. Restart the server.

    For information, see Starting, Stopping, and Restarting a Directory Server Instance.

ProcedureTo Configure the Retro Change Log to Record Attributes of a Deleted Entry

This procedure describes how to configure the retro change log to record specified attributes of an entry when that entry is deleted.

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. Specify the attributes that must be recorded:


    $ dsconf set-server-prop -h host -p port retro-cl-deleted-entry-attr: \
     attribute1 attribute2
    

    For example, to set the retro change log to record the UID attributes of deleted entries, use this command:


    $ dsconf set-server-prop -h host -p port retro-cl-deleted-entry-attr:uid

    To add an attribute to an existing list of specified attributes, use this command:


    $ dsconf set-server-prop -h host -p port retro-cl-deleted-entry-attr+:attribute
    
  2. Restart the server.

    For information, see Starting, Stopping, and Restarting a Directory Server Instance.

ProcedureTo Trim the Retro Change Log

The entries in the retro change log can be removed automatically after a specified period of time. To configure the period of time after which entries are deleted automatically, make sure that the retro change log is enabled, then set the nsslapd-changelogmaxage configuration attribute in the cn=Retro Changelog Plugin, cn=plugins, cn=config entry.

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. Check that the retro change log is enabled.


    $ dsconf get-server-prop -h host -p port retro-cl-enabled
  2. If the retro change log is not enabled, enable it.


    $ dsconf set-server-prop -h host -p port retro-cl-enabled:on
  3. Set the maximum age for changes logged.


    $ dsconf set-server-prop -h host -p port retro-cl-max-age:duration
    

    where duration can be either undefined (no age limit) or one of the following:

    • s for seconds

    • m for minutes

    • h for hours

    • d for days

    • w for weeks

    For example, to set the retro change log maximum age to two days, type:


    $ dsconf set-server-prop -h host 2 -p 1389 retro-cl-max-age:2d

    The retro change log will be trimmed at the next operation on the change log.

Accessing Control and the Retro Change Log

The retro change log supports search operations. It is optimized for searches that include filters of this form:


(&(changeNumber>=X)(changeNumber<=Y))

As a general rule, do not perform add or modify operations on the retro change log entries. You can delete entries to trim the size of the log. The only time that you need to perform a modify operation on the retro change log is to modify the default access control policy.

When the retro change log is created, by default, the following access control rules apply:

To modify the default access control policy that applies to the retro change log, modify the aci attribute of the cn=changelog entry. Refer to Chapter 6, Directory Server Access Control.