JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0)
search filter icon
search icon

Document Information

Preface

Part I Directory Server Administration

1.  Directory Server Tools

2.  Directory Server Instances and Suffixes

3.  Directory Server Configuration

4.  Directory Server Entries

5.  Directory Server Security

6.  Directory Server Access Control

7.  Directory Server Password Policy

8.  Directory Server Backup and Restore

9.  Directory Server Groups, Roles, and CoS

10.  Directory Server Replication

Planning Your Replication Deployment

Recommended Interface for Configuring and Managing Replication

Summary of Steps for Configuring Replication

Summary of Steps for Configuring Replication

Enabling Replication on a Dedicated Consumer

To Create a Suffix for a Consumer Replica

To Enable a Consumer Replica

To Perform Advanced Consumer Configuration

Enabling Replication on a Hub

To Create a Suffix for a Hub Replica

To Enable a Hub Replica

To Modify Change Log Settings on a Hub Replica

Enabling Replication on a Master Replica

To Create a Suffix for a Master Replica

To Enable a Master Replica

To Modify Change Log Settings on a Master Replica

Configuring the Replication Manager

Using a Non-Default Replication Manager

To Set A Non-Default Replication Manager

To Change the Default Replication Manager Password

Creating and Changing Replication Agreements

To Create a Replication Agreement

To Change the Destination of a Replication Agreement

Fractional Replication

Considerations for Fractional Replication

To Configure Fractional Replication

Replication Priority

To Configure Replication Priority

Initializing Replicas

To Initialize a Replicated Suffix from a Remote (Supplier) Server

Replica Initialization From LDIF

To Initialize a Replicated Suffix From LDIF

To Export a Replicated Suffix to LDIF

Filtering an LDIF File for Fractional Replication

Initializing a Replicated Suffix by Using Binary Copy

Restrictions for Using Binary Copy With Replication

Making a Binary Copy for Initializing a Server

Initializing Replicas in Cascading Replication

To Initialize Replicas in Cascading Replication

Indexing Replicated Suffixes

Incrementally Adding Many Entries to Large Replicated Suffixes

To Add Many Entries to Large Replicated Suffixes

Replication and Referential Integrity

Replication Over SSL

To Configure Replication Operations for SSL

To Configure Client Authentication Based Replication for SSL

Replication Over a WAN

Configuring Network Parameters

Configuring Window Size

Configuring Group Size

Scheduling Replication Activity

To Schedule Replication Activity

Configuring Replication Compression

To Configure Replication Compression

Modifying the Replication Topology

Changing the Replication Manager

Managing Replication Agreements

Disabling a Replication Agreement

Enabling a Replication Agreement

Deleting a Replication Agreement

Promoting or Demoting Replicas

To Promote or Demote a Replica

Disabling a Replicated Suffix

To Disable a Replicated Suffix

Keeping Replicated Suffixes Synchronized

Replication Retry Algorithm

To Force Replication Updates

Moving a Master Replica to a New Machine

To Remove a Master From an Existing Replication Topology

To Add a Master to an Existing Replication Topology

Replication With Releases Prior to Directory Server 11g Release 1 (11.1.1.5.0)

Replicating Between Directory Server 11g Release 1 (11.1.1.5.0) and Directory Server 6 or 5.2

Using the Retro Change Log

To Enable the Retro Change Log

To Configure the Retro Change Log to Record Updates for Specified Suffixes

To Configure the Retro Change Log to Record Attributes of a Deleted Entry

To Trim the Retro Change Log

Access Control and the Retro Change Log

Getting Replication Status

Getting Replication Status in DSCC

Getting Replication Status by Using the Command Line

Solving Common Replication Conflicts

Solving Replication Conflicts by Using DSCC

Solving Replication Conflicts by Using the Command Line

Solving Naming Conflicts

To Rename a Conflicting Entry That has a Multivalued Naming Attribute

To Rename a Conflicting Entry With a Single-Valued Naming Attribute

Solving Orphan Entry Conflicts

Solving Potential Interoperability Problems

11.  Directory Server Schema

12.  Directory Server Indexing

13.  Directory Server Attribute Value Uniqueness

14.  Directory Server Logging

15.  Directory Server Monitoring

Part II Directory Proxy Server Administration

16.  Directory Proxy Server Tools

17.  Directory Proxy Server Instances

18.  LDAP Data Views

19.  Directory Proxy Server Certificates

20.  Directory Proxy Server Load Balancing and Client Affinity

21.  Directory Proxy Server Distribution

22.  Directory Proxy Server Virtualization

23.  Virtual Data Transformations

24.  Connections Between Directory Proxy Server and Back-End LDAP Servers

25.  Connections Between Clients and Directory Proxy Server

26.  Directory Proxy Server Client Authentication

27.  Directory Proxy Server Logging

28.  Directory Proxy Server Monitoring and Alerts

Part III Directory Service Control Center Administration

29.  Directory Service Control Center Configuration

Index

Using the Retro Change Log

The retro change log is used by LDAP clients to ascertain the history of changes made to the Directory Server data. The retro change log is stored in a separate database to the Directory Server change log, under the suffix cn=changelog.

A retro change log can be enabled on a standalone server or on each server in a replication topology. When the retro change log is enabled on a server, by default updates to all suffixes on that server are logged. The retro change log can be configured to log updates to specified suffixes only.

For information about using the retro change log in a replicated topology and about restrictions on using the retro change log, see Replication and the Retro Change Log Plug-In in Oracle Directory Server Enterprise Edition Reference.

For information about the attributes of an entry in the retro change log, see the changeLogEntry(5dsoc) man page.

For more information about modifying the retro change log, see the dsconf(1M) man page.

This section explains various ways that you can use the retro change log.

To Enable the Retro Change Log

To use the retro change log, you must enable it.

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. Modify the retro change log configuration entry:
    $ dsconf set-server-prop -h host -p port retro-cl-enabled:on
  2. Restart the server.

    For information, see Starting, Stopping, and Restarting a Directory Server Instance.

To Configure the Retro Change Log to Record Updates for Specified Suffixes

When the retro change log is enabled on a server, by default it records updates to all suffixes on the server. This procedure describes how to configure the retro change log to record updates to specified suffixes only.

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. Modify the retro change log configuration entry:
    $ dsconf set-server-prop -h host -p port retro-cl-suffix-dn:suffix-DN

    For example, to log changes only on the cn=Contractors,dc=example,dc=com suffix and the ou=People,dc=example,dc=com suffix, use this command:

    $ dsconf set-server-prop -h host2 -p 1389 \
     retro-cl-suffix-dn:"cn=Contractors,dc=example,dc=com" \
     retro-cl-suffix-dn:"ou=People,dc=example,dc=com"

    To add a suffix to an existing list of specified suffixes, use this command:

    $ dsconf set-server-prop -h host -p port retro-cl-suffix-dn+:suffix-DN
  2. Restart the server.

    For information, see Starting, Stopping, and Restarting a Directory Server Instance.

To Configure the Retro Change Log to Record Attributes of a Deleted Entry

This procedure describes how to configure the retro change log to record specified attributes of an entry when that entry is deleted.

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. Specify the attributes that must be recorded:
    $ dsconf set-server-prop -h host -p port retro-cl-deleted-entry-attr: \
     attribute1 attribute2

    For example, to set the retro change log to record the UID attributes of deleted entries, use this command:

    $ dsconf set-server-prop -h host -p port retro-cl-deleted-entry-attr:uid

    To add an attribute to an existing list of specified attributes, use this command:

    $ dsconf set-server-prop -h host -p port retro-cl-deleted-entry-attr+:attribute
  2. Restart the server.

    For information, see Starting, Stopping, and Restarting a Directory Server Instance.

To Trim the Retro Change Log

The entries in the retro change log can be removed automatically after a specified period of time. To configure the period of time after which entries are deleted automatically, make sure that the retro change log is enabled, then set the nsslapd-changelogmaxage configuration attribute in the cn=Retro Changelog Plugin, cn=plugins, cn=config entry.

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. Check that the retro change log is enabled.
    $ dsconf get-server-prop -h host -p port retro-cl-enabled
  2. If the retro change log is not enabled, enable it.
    $ dsconf set-server-prop -h host -p port retro-cl-enabled:on
  3. Set the maximum age for changes logged.
    $ dsconf set-server-prop -h host -p port retro-cl-max-age:duration

    where duration can be either undefined (no age limit) or one of the following:

    • s for seconds

    • m for minutes

    • h for hours

    • d for days

    • w for weeks

    For example, to set the retro change log maximum age to two days, type:

    $ dsconf set-server-prop -h host 2 -p 1389 retro-cl-max-age:2d

    Entries that exceed this age are trimmed from the change log every 5 minutes.

Access Control and the Retro Change Log

The retro change log supports search operations. It is optimized for searches that include filters of this form:

(&(changeNumber>=X)(changeNumber<=Y))

As a general rule, do not perform add or modify operations on the retro change log entries. You can delete entries to trim the size of the log. The only time that you need to perform a modify operation on the retro change log is to modify the default access control policy.

When the retro change log is created, by default, the following access control rules apply:

To modify the default access control policy that applies to the retro change log, modify the aci attribute of the cn=changelog entry. Refer to Chapter 6, Directory Server Access Control.