The retro change log is used by LDAP clients to ascertain the history of changes made to the Directory Server data. The retro change log is stored in a separate database to the Directory Server change log, under the suffix cn=changelog.
A retro change log can be enabled on a standalone server or on each server in a replication topology. When the retro change log is enabled on a server, by default updates to all suffixes on that server are logged. The retro change log can be configured to log updates to specified suffixes only.
For information about using the retro change log in a replicated topology and about restrictions on using the retro change log, see Replication and the Retro Change Log Plug-In in Sun Java System Directory Server Enterprise Edition 6.2 Reference.
For information about the attributes of an entry in the retro change log, see the changeLogEntry(5dsoc) man page.
For more information about modifying the retro change log, see the dsconf(1M) man page.
This section explains various ways that you can use the retro change log.
To use the retro change log, you must enable it.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
Modify the retro change log configuration entry:
$ dsconf set-server-prop -h host -p port retro-cl-enabled:on |
Restart the server.
For information, see Starting, Stopping, and Restarting a Directory Server Instance.
When the retro change log is enabled on a server, by default it records updates to all suffixes on the server. This procedure describes how to configure the retro change log to record updates to specified suffixes only.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
Modify the retro change log configuration entry:
$ dsconf set-server-prop -h host -p port retro-cl-suffix-dn:suffix-DN |
For example, to log changes only on the cn=Contractors,dc=example,dc=com suffix and the ou=People,dc=example,dc=com suffix, use this command:
$ dsconf set-server-prop -h host2 -p 1389 \ retro-cl-suffix-dn:"cn=Contractors,dc=example,dc=com" \ retro-cl-suffix-dn:"ou=People,dc=example,dc=com" |
To add a suffix to an existing list of specified suffixes, use this command:
$ dsconf set-server-prop -h host -p port retro-cl-suffix-dn+:suffix-DN |
Restart the server.
For information, see Starting, Stopping, and Restarting a Directory Server Instance.
This procedure describes how to configure the retro change log to record specified attributes of an entry when that entry is deleted.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
Specify the attributes that must be recorded:
$ dsconf set-server-prop -h host -p port retro-cl-deleted-entry-attr: \ attribute1 attribute2 |
For example, to set the retro change log to record the UID attributes of deleted entries, use this command:
$ dsconf set-server-prop -h host -p port retro-cl-deleted-entry-attr:uid |
To add an attribute to an existing list of specified attributes, use this command:
$ dsconf set-server-prop -h host -p port retro-cl-deleted-entry-attr+:attribute |
Restart the server.
For information, see Starting, Stopping, and Restarting a Directory Server Instance.
The entries in the retro change log can be removed automatically after a specified period of time. To configure the period of time after which entries are deleted automatically, make sure that the retro change log is enabled, then set the nsslapd-changelogmaxage configuration attribute in the cn=Retro Changelog Plugin, cn=plugins, cn=config entry.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
Check that the retro change log is enabled.
$ dsconf get-server-prop -h host -p port retro-cl-enabled |
If the retro change log is not enabled, enable it.
$ dsconf set-server-prop -h host -p port retro-cl-enabled:on |
Set the maximum age for changes logged.
$ dsconf set-server-prop -h host -p port retro-cl-max-age:duration |
where duration can be either undefined (no age limit) or one of the following:
s for seconds
m for minutes
h for hours
d for days
w for weeks
For example, to set the retro change log maximum age to two days, type:
$ dsconf set-server-prop -h host 2 -p 1389 retro-cl-max-age:2d |
The retro change log will be trimmed at the next operation on the change log.
The retro change log supports search operations. It is optimized for searches that include filters of this form:
(&(changeNumber>=X)(changeNumber<=Y)) |
As a general rule, do not perform add or modify operations on the retro change log entries. You can delete entries to trim the size of the log. The only time that you need to perform a modify operation on the retro change log is to modify the default access control policy.
When the retro change log is created, by default, the following access control rules apply:
Read, search, and compare rights are granted to all authenticated users (userdn=anyone, not to be confused with anonymous access where userdn=all) to the retro change log top entry cn=changelog .
Write and delete access are not granted, except implicitly to the Directory Manager.
Do not grant read access to anonymous users because the retro change log entries can contain modifications to sensitive information such as passwords. You may want to further restrict access to the retro change log contents if authenticated users should not be allowed to view its contents.
To modify the default access control policy that applies to the retro change log, modify the aci attribute of the cn=changelog entry. Refer to Chapter 6, Directory Server Access Control.