15.21. Using the Retro Changelog Plug-in
The Retro Changelog plug-in configures Directory Server to maintain a changelog that is compatible with the changelog implemented in Directory Server 4.x.
Note
Only enable the Retro Changelog plug-in if you need to maintain a changelog for directory clients that depend on a Directory Server 4.x-style changelog.
To use the Retro Changelog plug-in, the Directory Server instance must be configured as a single-supplier replica.
When the Directory Server is configured to maintain a retro changelog, this changelog is stored in a separate database under a special suffix,
cn=changelog
.
The retro changelog consists of a single level of entries. Each entry in the changelog has the object class
changeLogEntry
. For a list of possible attributes in a changelog entry, see the Changelog Attributes section in the Red Hat Directory Server Configuration, Command, and File Reference.
15.21.1. Enabling the Retro Changelog Plug-in
This section describes how to enable the Retro Changelog plug-in.
Warning
Do not enable replication on the retro changelog backend. Enabling replication on the retro changelog may result in:
- Generating an excessive amount of replication traffic, half of which is duplicated updates.
- Creating errors with the delete operations related to retro changelog trimming.
- Very poor replication performance and no convergence of updates on suppliers.
15.21.1.1. Enabling the Retro Changelog Plug-in Using the Command Line
To enable the Retro Changelog plug-in using the command line:
- Use the
dsconf
utility to enable the plug-in:# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin retro-changelog enable
- Restart the instance:
# dsctl instance_name restart
15.21.1.2. Enabling the Retro Changelog Plug-in Using the Web Console
To enable the Retro Changelog plug-in using the web console:
- Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
- Select the instance.
- Select themenu.
- Select the Retro Changelog plug-in in the list on the left.
- Change the status to
On
. - Click.
- Restart the instance. See Section 1.5.2, “Starting and Stopping a Directory Server Instance Using the Web Console”.
15.21.2. Trimming the Retro Changelog
The size of the retro changelog is automatically reduced if you lower the maximum age of records set in the
nsslapd-changelogmaxage
parameter and the next trim interval, set in nsslapd-changelog-trim-interval
, is executed.
For example, to set maximum age of records in the retro changelog to two days:
# dsconf -D "cn=Directory Manager" ldap://server.example.com plugin retro-changelog set --max-age="2d"
15.21.3. Searching and Modifying the Retro Changelog
The changelog supports search operations and is optimized for searches that include filters of the form
(&(changeNumber>=X)(changeNumber<=Y))
.
As a general rule, do not perform add or modify operations on the retro changelog entries, although entries can be deleted to trim the size of the changelog. Only modify the retro changelog entry to modify the default access control policy.
15.21.4. Retro Changelog and the Access Control Policy
When Directory Server creates the retro changelog, no Access Control Instructions (ACIs) are created, and only the Directory Manager has access control rules applied (read, search, compare, write, and delete).
To change the default access control policy which applies to the retro changelog, modify the
aci
attribute of the cn=changelog
entry. For example, if you want to grant read, search, and compare permissions to all authorized users, add the following ACI to the cn=changelog
:
dn: cn=changelog
aci: (targetattr="changeNumber || objectClass")(targetfilter="(objectClass=changelogentry)")
(version 3.0; acl "Enable authenticated users to read the retro changelog"; allow (read, search, compare)
(userdn="ldap:///all");)
Warning
When modifying
aci
attribute, do not grant read permissions to anonymous users (userdn=anyone
) because the changelog entries can contain sensitive information, such as passwords. You must allow only authenticated applications and users (userdn=all
) to access this information.