4.2. Tracking Entry Modifications through Operational Attributes
Using the default settings, Directory Server tracks the following operational attributes for every entry:
creatorsName: The distinguished name (DN) of the user who initially created the entry.createTimestamp: The times stamp in Greenwich Mean Time (GMT) format when the entry was created.modifiersName: The distinguished name of the user who last modified the entry.modifyTimestamp: The time stamp in the GMT format for when the entry was last modified.
Note that operational attributes are not returned in default searches. You must explicitly request these attributes in queries. For details, see Section 14.4.7, “Searching for Operational Attributes”.
Important
Red Hat recommends not disabling tracking these operational attributes. If disabled, entries do not get a unique ID assigned in the
nsUniqueID attribute and replication does not work.
4.2.1. Entries Modified or Created by a Database Link
When an entry is created or modified over a database link, the
creatorsName and modifiersName attributes contain the name of the user who is granted proxy authorization rights on the remote server. In this case, the attributes do not display the original creator or latest modifier of the entry. However, the access logs show both the proxy user (dn) and the original user (authzid). For example:
[23/May/2018:18:13:56.145747965 +051800] conn=1175 op=0 BIND dn="cn=proxy admin,ou=People,dc=example,dc=com" method=128 version=3 [23/May/2018:18:13:56.575439751 +051800] conn=1175 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=proxy admin,ou=people,dc=example,dc=com" [23/May/2018:18:13:56.744359706 +051800] conn=1175 op=1 SRCH base="dc=example,dc=com" scope=2 filter="(objectClass=*)" attrs=ALL authzid="uid=user_name,ou=People,dc=example,dc=com"
4.2.2. Enabling Tracking of Modifications
By default, Directory Server tracks modifications in operational attributes.
Note
Red Hat recommends not disabling this feature.
This section describes how to re-enable tracking of modifications in case that you disabled the feature.
4.2.2.1. Enabling Tracking Of Modifications Using the Command Line
To re-enable tracking of entry modifications using the command line:
- Set the
nsslapd-lastmodparameter toon:# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-lastmod=on
- Optionally, to regenerate the missing
nsUniqueIDattributes:- Export the database into an LDAP Data Interchange Format (LDIF) file. See Section 6.2.1, “Exporting Data into an LDIF File Using the Command Line”.
- Import the database from the LDIF file. See Section 6.1.2, “Importing Using the Command Line”.
